ࡱ> FIE B+bjbj 4DB#$D_____nnn]______$ f#Znnnnn__~~~n__]~n]~~V1@_5B@,Rq I0}x#~##Tnn~nnnnn~nnnnnnn#nnnnnnnnn : Windows Server 2003 Hardening Checklist Helpdesk 75220/itservicedesk@umb.edu Introduction: This checklist contains server hardening procedures that balance industry best practices with the unique requirements of UMass/Bostons environment. Since Windows Server 2003 does not come configured securely out of the box it is necessary to follow these steps to prevent attacks from exploiting known vulnerabilities. These steps should be followed to secure a typical UCDHSC Windows 2003 server, but may not be appropriate in all cases. In cases where an exception must be made, documentation should be retained on this worksheet describing the reason for the exception and any mitigating actions. In all cases, this worksheet should be retained for future reference. Procedure: Install the latest Service Pack from http://windowsupdate.microsoft.com. Each Service Pack for Windows includes all security fixes from previous Service Packs. Keep up to date on Service Pack releases and install the correct Service Pack for your servers as soon as operational circumstances allow. Install the appropriate post-Service Pack security hot fixes from http://windowsupdate.microsoft.com. Microsoft issues security bulletins through its Security Notification Service. When these bulletins recommend installation of a security hot fix, you should immediately download and test the hot fix, then install it on your member servers as soon as operational circumstances allow. Configure local accounts. Make sure the local Guest account is disabled. This is the default in Windows Server 2003. Enable account lockout on the local administrator account (this still needs to be done using passprop on Windows Server 2003) Rename the local Administrator account to something other than Administrator. Ensure that the local Administrator password meets the following criteria: It contains at least sixteen alphanumeric characters. It contains both upper and lower case characters. It has digits and punctuation characters as well as letters. It is not a word in any language, slang, dialect, jargon, etc. It isnt based on personal information. Make sure that Domain Admins are members of the Local Administrators group. Disable or delete unnecessary accounts quarterly. Review the list of active accounts (for both users and applications) on the system in the Computer Management snap-in, disabling any non-active accounts, and deleting accounts that are no longer required, including duplicate user accounts, test accounts, shared accounts, and general departmental accounts. Use group policies to assign permissions as needed. Disable unnecessary services. After installing Windows 2003 Server, disable any network services not required for the server role. In particular, consider whether the server should be running the Server service for file and print sharing. This list could include web services or ftp services if those are not needed. Find a list of services to shut off at blackviper.com or consult an IT security engineer. Also avoid installing applications on the server unless they are absolutely necessary to the servers function. For example, dont install e-mail clients, office productivity tools, or utilities that are not strictly required for the server to do its job. If SNMP is enabled, there must be no R/W community string, and the RO community string must be set to something other than public. When choosing an SNMP community string, follow the same guidelines as choosing a complex password. Set stronger password policies. Use the Domain Security Policy (or Local Security Policy) snap-in to strengthen the system policies for password acceptance, including: Set the minimum password length to at least eight characters. Set a minimum password age Set a maximum password age Set a password history maintenance Enable password complexity. Local Security Policy -> Security Settings -> Account Policies -> Password Policy: Password Setting Recommended Settings Enforce password history 12 Maximum password age < 90 Minimum password age 2 Minimum password length 8 Password must meet complexity requirements Enabled Store passwords using reversible encryption Disabled Note: Increase the log size from the 16384 mb default to at least 81920 mb. Prevent the last logged-in user name from being displayed. The login dialog box makes it easier to discover a user name that can later be employed in a password- guessing attack. Disable this feature using the security templates provided on the installation CD, or via Group Policy snap-in. Local Security Policy .. Security Settings .. Local Policies .. Security Options .. Domain Member: Do not display last username Configure a strong audit policy. Successful and failed logins, as well as privilege use, should be logged and monitored to detect any unauthorized activity. Applied Trust suggests the following Auditing settings: Audit Policy Recommended Settings Audit account logon events Success, Failure Audit account management Success, Failure Audit directory service access No auditing Audit logon events Success, Failure Audit object access No auditing Audit policy change Success, Failure Audit privilege use Success, Failure Audit process tracking No auditing Audit system events No auditing Install antivirus software and updates. Make sure file scanning is enabled and automatic definition updates are configured. MalwareBytes, ComboFix, or another. Consult IT Helpdesk if assistance is needed Configure appropriate settings for access control on file shares, given that permissions are set through NTFS security. All folders and files should be secured with standard NTFS settings. Minimum access rules should apply such that groups are created that allow the minimum number of users to have write access. Where possible, the Everyone setting should be removed and replaced with user groups. Once NTFS settings have been applied, then the most efficient share setting is to give all Authenticated Users full control access. (Please confirm with your application guidelines) Disable the autorun feature on the CD-ROM drive Boot from the Hard Drive Only Disable the F12 key Enable a BIOS password. Run the Registry Editor (REGEDIT.EXE). Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom. Double-click the Autorun value, and type 0 for its value. (If it's not there, create it by selecting Edit -> New -> DWORD Value, and typing "Autorun" for its name.) You may have to log out and then log back in for this change to take effect. Note: With this solution, Windows will no longer be notified when you insert a new CD. To make sure the correct icon and title for the current CD are displayed in My Computer and Explorer, press F5 to refresh the window. Protect the registry from anonymous access Rename the guest account even though it may be disabled. Make sure that the server firewall is turned on is blocking unneeded ports such as 21 for FTP and 80 for web services. Please contact an IT security person if questions or assistance is needed. In the registry sub key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\RPC, select one of the following values: 1 - This default setting permits access to interfaces only by using authenticated connections, unless those connections specifically request to be exempt from this requirement. (Note: This exemption is required for some DCOM scenarios.) 2 - This setting permits remote access to interfaces only by using authenticated connections. This setting does not permit exceptions to the authentication requirement. Ensure users have the correct level of debugging access. This can be done through: The control panel of each machine The platform SDK (SeDebugPrivilege) Set up the event logs. GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\ Maximum application log size: 16384 mb Maximum security log size: 16384 mb Maximum system log size: 16384 mb Prevent local guests group from accessing application log: enabled Prevent local guests group from accessing security log: enabled Prevent local guests group from accessing system log: enabled Retain application log: Not defined Retain security log: Not defined Retain system log: Not defined Retention method for application log: Overwrite as needed Retention method for security log: Overwrite as needed Retention method for system log: Overwrite as needed Set logfiles for rollover Dump the system registry quarterly Once the server has been built, create a Level 0/Full backup of all drives and the System State. This backup should be stored for the life of the machine as a forensic baseline in case of a security incident. Additional Level 0 backups should be created and stored for the machines lifetime upon major system upgrades. )*9NO^@ A  T U X _ q z 0 7 = Y ] f m #$<ï񢘢񢋢ttthLh_dOJQJ^JhLOJQJ^JhLhF<OJQJ^JhZ#LOJQJ^JhLhA*OJQJ^J&hP,hA*5>*CJOJQJ^JaJ&hP,hP,5>*CJOJQJ^JaJhP,hP,5>*hP,hA*5>*OJQJ^JhLhA*5OJQJ^J))*O^_ W X = > =\$0^`0a$gdL $^a$gdL $ & Fa$gdF<$a$gd_$a$gdF<gdP,gd3<=>~PQqx>?Rg$%z{LM  01NOq +1LRŻٮٮhLhR<OJQJ^JhZ#LOJQJ^JhA*OJQJ^JhLOJQJ^JhLhA*OJQJ^JhLhF<OJQJ^JhLhLOJQJ^JD\Eno$Z[z{MN $^a$gdL $^a$gdF< $ & Fa$gdF< $`a$gdL$a$gdF<$ & F^a$gdF< 0N4U $`a$gdL $`a$gdR< $ & Fa$gdF<$a$gdF< $^a$gdLR BFGgm<B[\y: k !!!^!_!""T"ҸҞhLhLOJQJ^JhL5>*ϴ5>*ϴ*ϴϴϴ<OJQJ^JhLhA*OJQJ^J>;<#T $^a$gdL $`a$gdL $ & Fa$gdF< $^a$gdR<$a$gdF< $`a$gdR<(PQ[\l m $^a$gdL $^a$gdL $ & Fa$gdR< $^a$gdR< $^a$gdZ#L $h`ha$gdR< $ & Fa$gdF<$a$gdF< $`a$gdL !^!_!""T"U"3#4#`#a###]$$a$gdZ#L $^a$gdZ#L $ & Fa$gdZ#L$a$gdF< $`a$gdR< $^a$gdR<$^`a$gdR< $^a$gdLT"U"_###\$]$^$n$u$$$$$%%&&&&.'/''''''')))B+椮hA*OJQJ^JhLOJQJ^JhLOJQJ^JhLh_dOJQJ^JhZ#LhZ#LOJQJ^JhZ#LOJQJ^JhLhA*OJQJ^JhLhR<OJQJ^J]$^$$$%%s&t&u&&&'.'/'~''''1( $`a$gdR< $`a$gdL$a$gdL$^`a$gdR< $ & Fa$gdR< $^a$gdL$a$gdF< & Fgd_d^gdZ#L1(r(((()S))))))**B+ $ & Fa$gdF<$a$gdF< $`a$gdL$a$gdL $`a$gdR<21h:p3/ =!"#$% j 666666666vvvvvvvvv666666>6666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~ OJPJQJ_HmH nH sH tH J`J VNNormal dCJ_HaJmH sH tH DA D Default Paragraph FontRiR 0 Table Normal4 l4a (k ( 0No List JZ@J 00 Plain Text dCJOJQJaJFF 00Plain Text CharCJOJQJaJ6U6 F<0 Hyperlink >*B*ph@"@ Z#L List Paragraph ^m$PK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] B# D<RT"B+\ ]$1(B+ !l8# AA@0(  B S  ?;LV[/7!!D#KT^ip{"'D#tvH/V>bfHR4x ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo(V>tvHfH                           (P,3LLZ#L__dVNA*F<R<lF&U4B#D#@B#`@UnknownG* Times New Roman5Symbol3. * Arial7.{ @Calibri95  K @Consolas?= * Courier New;WingdingsACambria Math"1hFFC?C?00#0#2HP  $PVN2!xx Robert.Sarao Robert.Sarao   Oh+'0|  8 D P\dltRobert.Sarao Normal.dotmRobert.Sarao2Microsoft Office Word@F#@9@@9@C՜.+,0 hp  Umass/Boston?0#  Title  !"$%&'()*+,-./012346789:;<>?@ABCDGHKRoot Entry F`B@J1Table##WordDocument 4DSummaryInformation(5DocumentSummaryInformation8=MsoDataStorezB@5B@QQQ20FVUOC0L4B0A==2zB@5B@Item PropertiesUCompObj y   F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89q