Chapter 1: Introduction to the Windows Server 2003 Security Guide
Published: December 31, 2003 | Updated: April 26, 2006
Welcome to the Windows Server 2003 Security Guide. This guide is designed to provide you with the best information available to assess and counter security risks in your organization that are specific to Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1). The chapters in this guide provide detailed guidance about how to enhance security setting configurations and features in Windows Server 2003 with SP1 wherever possible to address threats that you have identified in your environment. This guide was created for systems engineers, consultants and network administrators who work in a Windows Server 2003 with SP1 environment.
This guide was reviewed and approved by Microsoft engineering teams, consultants, support engineers, as well as customers and partners. Microsoft worked with consultants and systems engineers who have implemented Windows Server 2003, Windows® XP, and Windows 2000 in a variety of environments to help establish the latest best practices to secure these servers and clients. This best practice information is described in detail in this guide.
The companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP (available at http://go.microsoft.com/fwlink/?LinkId=15159), provides a comprehensive overview of all of the major security settings that are present in Windows Server 2003 with SP1 and Windows XP with SP2. Chapters 2 through 12 of this guide include step-by-step security prescriptions, procedures, and recommendations to provide you with task lists that will help you achieve an elevated level of security for those computers that run Windows Server 2003 with SP1 in your organization. If you want more in-depth discussion of the concepts behind this material, refer to resources such as the Microsoft Windows Server 2003 Resource Kit, the Microsoft Windows XP Resource Kit, the Microsoft Windows 2000 Security Resource Kit, and Microsoft TechNet.
Whatever your environment, you are strongly advised to be serious about security issues. Many organizations underestimate the value of their information technology (IT) environment, often because they exclude substantial indirect costs. If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, an attack in which your organization’s Web site is brought down could cause a major loss of revenue or customer confidence, which could affect your organization’s profitability. When you evaluate security costs, you should include the indirect costs that are associated with any attack in addition to the costs of lost IT functionality.
Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computers are subject to in a networked environment. This guide documents the major security countermeasures that are available in Windows Server 2003 with SP1, the vulnerabilities that they address, and the potential negative consequences (if any) of each countermeasure's implementation.
The guide then provides specific recommendations about how to harden computers that run Windows Server 2003 with SP1 in three distinct enterprise environments. The Legacy Client (LC) environment must support older operating systems such as Windows 98. The Enterprise Client (EC) environment is one in which Windows 2000 is the earliest version of the Windows operating system in use. The third environment is one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve the highest level of security. This third environment is known as the Specialized Security – Limited Functionality (SSLF) environment. Every effort has been made to make this information well organized and easily accessible so that you can quickly find and determine which settings are suitable for the computers in your organization. Although this guide is targeted at the enterprise customer, much of it is appropriate for organizations of any size.
To get the most value out of the material, you will need to read the entire guide.
You can also refer to the companion guide,
Threats and Countermeasures: Security Settings in
The team that produced this guide hopes that you will find the material covered in it useful, informative, and interesting.
Who Should Read This Guide
This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who plan application or infrastructure development and the deployment of Windows Server 2003. These roles include the following common job descriptions:
Scope of this Guide
This guide focuses on how to create and maintain a secure environment for computers that run Windows Server 2003 with SP1 in your organization. The guidance explains the different stages of how to secure the three environments that are defined in the guide, and what each prescribed server setting addresses in terms of client dependencies. The three environments are described as follows:
Guidance about ways to harden computers in these three environments is provided for a group of distinct server roles. The countermeasures that are described and the tools that are provided assume that each server will have a single role. If you need to combine roles for some of the servers in your environment, you can customize the security templates that are included in the download that accompanies this guide to create the appropriate combination of services and security options. The roles that are described in this guide include:
The recommended settings in this guide were tested thoroughly in lab environments that simulated the previously described Legacy Client, Enterprise Client, and Specialized Security – Limited Functionality environments. These settings were proven to work in the lab, but it is important that your organization test these settings in your own lab that accurately represents your production environment. It is likely that you will need to make some changes to the security templates and the manual procedures that are documented within this guide so that all of your business applications continue to function as expected. The detailed information that is provided in the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, provides the information that you need to assess each specific countermeasure and to decide which of them are appropriate for your organization's unique environment and business requirements.
The Windows Server 2003 Security Guide consists of 13 chapters. Each chapter builds on the end-to-end solution process that is required to implement and secure Windows Server 2003 with SP1 in your environment. The first few chapters describe how to build a foundation that will allow you to harden the servers in your organization, and the rest of the chapters document the procedures that are unique to each server role.
Chapter 1: Introduction to the Windows Server 2003 Security Guide
This chapter introduces the Windows Server 2003 Security Guide and includes a brief overview of each chapter. It describes the Legacy Client, Enterprise Client, and Specialized Security – Limited Functionality environments and the computers that run in them.
Chapter 2: Windows Server 2003 Hardening Mechanisms
This chapter provides an overview of the main mechanisms that are used to harden Windows Server 2003 SP1 in this guide—the Security Configuration Wizard (SCW) and Active Directory Group Policy. It explains how SCW provides an interactive framework to create, manage, and test security policies for Windows servers that serve in different roles. It also evaluates the capabilities of SCW within the context of the three environments that are described in Chapter 1.
The next part of this chapter provides high-level descriptions of Active Directory design, organizational unit (OU) design, Group Policy Objects (GPOs), administrative group design, and domain policy. These topics are discussed in the context of the three environments that are described in Chapter 1 to provide a vision of an ideal secure end-state environment.
This chapter concludes with a detailed examination of how this guide combines the best features of SCW and traditional GPO-based approaches to harden Windows Server 2003 with SP1.
Chapter 3: The Domain Policy
This chapter explains security template settings and additional countermeasures for the domain-level policies in the three environments that are described in Chapter 1. The chapter does not focus on any specific server role, but on the specific policies and settings that are useful for top-level domain policies.
Chapter 4: The Member Server Baseline Policy
This chapter explains security template settings and additional countermeasures for the different server roles in the three environments that are described in Chapter 1. The chapter focuses on how to establish a Member Server Baseline Policy (MSBP) for the server roles that are discussed later in the guide.
The recommendations in this chapter are designed to allow organizations to safely deploy setting configurations for both existing and new deployments of Windows Server 2003 with SP1. The default security configurations within Windows Server 2003 SP1 were researched and tested, and the recommendations in this chapter were determined to provide greater security than the default operating system settings. Occasionally, a less restrictive setting is suggested than the one that is present in the default installation of Windows Server 2003 with SP1 to provide support for Legacy Client environments.
Chapter 5: The Domain Controller Baseline Policy
The domain controller server role is one of the most important roles to secure in any Active Directory environment with computers that run Windows Server 2003 with SP1. Any loss or compromise of a domain controller could seriously affect client computers, servers, and applications that rely on domain controllers for authentication, Group Policy, and a central lightweight directory access protocol (LDAP) directory.
This chapter describes the need to always store domain controllers in physically secure locations that are accessible only to qualified administrative staff. The hazards of domain controllers in unsecured locations such as branch offices are addressed, and a significant portion of the chapter is devoted to an explanation of the security considerations that are the basis for the recommended Domain Controller Group Policy.
Active Directory domain controllers require a stable, properly configured DNS service. By default, Windows Server 2003 with SP1 integrates DNS zones into Active Directory, which allows domain controllers to run the DNS service and answer DNS requests for clients in the Active Directory domain. This chapter assumes that the domain controller will also provide DNS service and provides the appropriate guidance.
Chapter 6: The Infrastructure Server Role
In this chapter, the infrastructure server role is defined as either a DHCP server or a WINS server. Details are provided about how the Windows Server 2003 with SP1 infrastructure servers in your environment can benefit from security settings that are not applied by the Member Server Baseline Policy (MSBP). This chapter does not include configuration information for the DNS service, which is included in the domain controller role.
Chapter 7: The File Server Role
This chapter focuses on the File server role and the difficult aspects of how to harden such servers. The most essential services for file servers require use of Windows NetBIOS-related protocols and the SMB and CIFS protocols. The Server Message Block (SMB) and Common Internet File System (CIFS) protocols are typically used to provide access for authenticated users, but when improperly secured they can also disclose rich information to unauthenticated users or attackers. Because of this threat, these protocols are often disabled in high-security environments. This chapter describes how file servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP.
Chapter 8: The Print Server Role
This chapter focuses on print servers. Like file servers, the most essential services for print servers require use of Windows NetBIOS-related protocols and the SMB and CIFS protocols. As stated earlier, these protocols are often disabled in high-security environments. This chapter describes how Windows Server 2003 with SP1 print server security settings can be strengthened in ways that are not applied by the MSBP.
Chapter 9: The Web Server Role
This chapter describes how comprehensive security for Web sites and applications requires an entire IIS server (including each Web site and application that runs on the IIS server) to be protected from client computers in its environment. Web sites and applications also must be protected from other Web sites and applications that run on the same IIS server. Practices to ensure that these measures are achieved by the IIS servers that run Windows Server 2003 with SP1 in your environment are described in detail in this chapter.
IIS is not installed on members of the Microsoft Windows Server System™ family by default. When IIS is initially installed, it is in a highly secure "locked" mode. For example, the default settings only allow IIS to serve static content. Features such as Active Server Pages (ASP), ASP.NET, Server-Side Includes, WebDAV publishing, and Microsoft FrontPage® Server Extensions must be enabled by the administrator through the Web Service Extensions node in Internet Information Services Manager (IIS Manager).
Sections in this chapter provide details about a variety of settings you can use to harden the IIS servers in your environment. The need to monitor, detect, and respond to security issues is emphasized to ensure that the servers stay secure. This chapter focuses on IIS Web protocols and applications, such as HTTP, and does not include guidance on the other protocols that IIS can provide, such as SMTP, FTP, and NNTP.
Chapter 10: The IAS Server Role
Internet Authentication Servers (IAS) provide Remote Authentication Dial-In User Services (RADIUS), a standards-based authentication protocol that is designed to verify the identity of clients who access networks remotely. This chapter describes ways in which IAS servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP.
Chapter 11: The Certificate Services Server Role
Certificate Services provide the cryptographic and certificate management services that are needed to build a public key infrastructure (PKI) in your server environment. This chapter describes ways in which Certificate Services servers that run Windows Server 2003 with SP1 will benefit from security settings that are not applied by the MSBP.
Chapter 12: The Bastion Hosts Role
Bastion host servers are accessible to client computers from the Internet. In this chapter, it is explained how these publicly exposed computers are susceptible to attack from a large number of users who can remain completely anonymous if they wish. Many organizations do not extend their domain infrastructure to the Internet. For this reason, this chapter content focuses on how to harden stand-alone computers. Details are provided about ways in which bastion hosts that run Windows Server 2003 with SP1 can benefit from the security recommendations in this guide for computers that are not members of an Active Directory–based domain.
Chapter 13: Conclusion
The concluding chapter of this guide reviews the important points of the material that was presented in the previous chapters.
Appendix A: Security Tools and Formats
Although this guide focuses on how to use SCW to create policies which are then converted to security templates and Group Policy objects, there are a variety of other tools and file formats that can be used to augment or replace this methodology. This appendix provides a short list of these tools and formats.
Appendix B: Key Settings to Consider
This guide discusses many security countermeasures and security settings, but it is important to understand a small number of them are particularly important. This appendix discusses the settings that will have the biggest impact on security of computers that run Windows Server 2003 with SP1.
Appendix C: Security Template Setting Summary
This appendix introduces the Microsoft Excel® workbook "Windows Server 2003 Security Guide Settings," which is included with the tools and templates in the downloadable version of this guide at http://go.microsoft.com/fwlink/?LinkId=14846. This spreadsheet provides a comprehensive master reference in a compact, usable form of all of the recommended settings for the three environments that are defined in this guide.
Appendix D: Testing the Windows Server 2003 Security Guide
This guide provides a significant amount of information about how to harden servers that run Windows Server 2003 with SP1, but the reader is constantly cautioned to test and validate all settings before they implement any settings in a production environment.
This appendix provides guidance about how to create a suitable test lab environment that can be used to help ensure successful implementation of the recommended settings in a production environment. It helps users to perform necessary validation and minimizes the amount of resources that are needed to do so.
Tools and Templates
A collection of security templates, scripts, and additional tools are included with the downloadable version of this guide to help your organization to evaluate, test, and implement the recommended countermeasures. The security templates are text files that can be imported into domain–based Group Policies or applied locally with the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in. These procedures are detailed in Chapter 2, "Windows Server 2003 Hardening Mechanisms." The scripts that are included with this guide include scripts to create and link Group Policy objects as well as test scripts that are used to test the recommended countermeasures. Also included is the Excel workbook that summarizes the security template settings (referenced in the earlier "Appendix C" section).
The files that accompany this guide are collectively referred to as tools and templates. These files are included in a .msi file within the self-extracting WinZip archive that contains this guide, which is available on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=14846. When you execute the .msi file, the following folder structure will be created in the location you specify:
Skills and Readiness
IT professionals who develop, deploy, and secure installations of Windows Server 2003 and Windows XP in an enterprise environment require the following knowledge and skills:
The software requirements for the tools and templates that are documented in this guide are:
This guide uses the following style conventions and terminology.
Table 1.1 Style Conventions
This chapter provided an overview of the primary factors that are involved to secure computers that run Windows Server 2003 with SP1, which are considered and discussed in greater detail in the rest of the guide. Now that you understand how this guide is organized, you can decide whether to read it from beginning to end or select only those sections that interest you.
However, it is important to remember that effective and successful security operations require improvements in all of the areas that are discussed in this guide, not just a few. For this reason, Microsoft recommends that you read the entire guide to take full advantage of all the information it contains to secure computers that run Windows Server 2003 with SP1 in your organization.
The following links provide additional information about topics that relate to security and Windows Server 2003 with SP1.