|
Published: December 31, 2003 | Updated: April 26, 2006 Overview
Welcome to the Windows Server 2003 Security Guide. This guide
is designed to provide you with the best information available to assess and counter
security risks in your organization that are specific to Microsoft® Windows Server™
2003 with Service Pack 1 (SP1). The chapters in this guide provide detailed guidance
about how to enhance security setting configurations and features in Windows Server
2003 with SP1 wherever possible to address threats that you have identified in your
environment. This guide was created for systems engineers, consultants and network
administrators who work in a Windows Server 2003 with SP1 environment.
This guide was reviewed and approved by Microsoft engineering teams, consultants,
support engineers, as well as customers and partners. Microsoft worked with consultants
and systems engineers who have implemented Windows Server 2003, Windows® XP, and
Windows 2000 in a variety of environments to help establish the latest best practices
to secure these servers and clients. This best practice information is described
in detail in this guide.
The companion guide, Threats
and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
(available at http://go.microsoft.com/fwlink/?LinkId=15159), provides a comprehensive
overview of all of the major security settings that are present in Windows Server
2003 with SP1 and Windows XP with SP2. Chapters 2 through 12 of this guide include
step-by-step security prescriptions, procedures, and recommendations to provide
you with task lists that will help you achieve an elevated level of security for
those computers that run Windows Server 2003 with SP1 in your organization. If you
want more in-depth discussion of the concepts behind this material, refer to resources
such as the Microsoft Windows Server 2003 Resource Kit, the
Microsoft Windows XP Resource Kit, the Microsoft Windows 2000
Security Resource Kit, and Microsoft TechNet. Executive Summary
Whatever your environment, you are strongly advised to be serious about security
issues. Many organizations underestimate the value of their information technology
(IT) environment, often because they exclude substantial indirect costs. If an attack
on the servers in your environment is severe enough, it could significantly damage
the entire organization. For example, an attack in which your organization’s Web
site is brought down could cause a major loss of revenue or customer confidence,
which could affect your organization’s profitability. When you evaluate security
costs, you should include the indirect costs that are associated with any attack
in addition to the costs of lost IT functionality.
Vulnerability, risk, and exposure analysis with regard to security informs you of
the tradeoffs between security and usability that all computers are subject to in
a networked environment. This guide documents the major security countermeasures
that are available in Windows Server 2003 with SP1, the vulnerabilities that they
address, and the potential negative consequences (if any) of each countermeasure's
implementation.
The guide then provides specific recommendations about how to harden computers that
run Windows Server 2003 with SP1 in three distinct enterprise environments. The
Legacy Client (LC) environment must support older operating systems such as Windows
98. The Enterprise Client (EC) environment is one in which Windows 2000 is the earliest
version of the Windows operating system in use. The third environment is one in
which concern about security is so great that significant loss of client functionality
and manageability is considered an acceptable tradeoff to achieve the highest level
of security. This third environment is known as the Specialized Security – Limited
Functionality (SSLF) environment. Every effort has been made to make this information
well organized and easily accessible so that you can quickly find and determine
which settings are suitable for the computers in your organization. Although this
guide is targeted at the enterprise customer, much of it is appropriate for organizations
of any size.
To get the most value out of the material, you will need to read the entire guide.
You can also refer to the companion guide,
Threats and Countermeasures: Security Settings in
Windows Server 2003 and Windows XP, at http://go.microsoft.com/fwlink/?LinkId=15159.
The team that produced this guide hopes that you will find the material covered
in it useful, informative, and interesting. Who Should Read This Guide
This guide is primarily intended for consultants, security specialists, systems
architects, and IT professionals who plan application or infrastructure development
and the deployment of Windows Server 2003. These roles include the following common
job descriptions: - Architects and planners who drive the architecture efforts for the clients in their
organizations.
- IT security specialists who are focused purely on how to provide
security across the platforms within their organizations.
- Business analysts
and business decision makers (BDMs) with critical business objectives and requirements
that depend on client support.
- Consultants from both Microsoft Services and
partners who need detailed resources of relevant and useful information for enterprise
customers and partners.
Scope of this Guide
This guide focuses on how to create and maintain a secure environment for computers
that run Windows Server 2003 with SP1 in your organization. The guidance explains
the different stages of how to secure the three environments that are defined in
the guide, and what each prescribed server setting addresses in terms of client
dependencies. The three environments are described as follows: - The Legacy Client (LC) environment consists of an Active Directory® directory service
domain with member servers and domain controllers that run Windows Server 2003 and
some client computers that run Microsoft Windows 98 and Windows NT® 4.0. Computers
that run Windows 98 must have the Active Directory Client Extension (DSCLient) installed.
More information is available in the Microsoft Knowledge Base article "How
to install the Active Directory client extension" at http://support.microsoft.com/kb/288358.
-
The Enterprise Client (EC) environment consists of an Active Directory domain with
member servers and domain controllers that run Windows Server 2003 with SP1 and
client computers that run Windows 2000 and Windows XP.
- The Specialized Security
– Limited Functionality (SSLF) environment also consists of an Active Directory
domain with member servers and domain controllers that run Windows Server 2003 with
SP1 and clients that run Windows 2000 and Windows XP. However, the Specialized Security
– Limited Functionality settings are so restrictive that many applications may not
function. For this reason, the servers’ performance may be affected, and it will
be more of a challenge to manage the servers.Also, client computers that are not
secured by the SSLF policies could experience communication problems with client
computers and servers that are secured by the SSLF policies. See the Windows XP Security
Guide for information about how to secure client computers with SSLF-compatible
settings.
Guidance about ways to harden computers in these three environments is provided
for a group of distinct server roles. The countermeasures that are described and
the tools that are provided assume that each server will have a single role. If
you need to combine roles for some of the servers in your environment, you can customize
the security templates that are included in the download that accompanies this guide
to create the appropriate combination of services and security options. The roles
that are described in this guide include: - Domain controllers
- Infrastructure servers
- File servers
- Print
servers
- Internet Information Services (IIS) servers
- Internet Authentication
Services (IAS) servers
- Certificate Services servers
- Bastion hosts
The recommended settings in this guide were tested thoroughly in lab environments
that simulated the previously described Legacy Client, Enterprise Client, and Specialized
Security – Limited Functionality environments. These settings were proven to work
in the lab, but it is important that your organization test these settings in your
own lab that accurately represents your production environment. It is likely that
you will need to make some changes to the security templates and the manual procedures
that are documented within this guide so that all of your business applications
continue to function as expected. The detailed information that is provided in the
companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, provides the information that you
need to assess each specific countermeasure and to decide which of them are appropriate
for your organization's unique environment and business requirements. Chapter Summaries
The Windows Server 2003 Security Guide consists of 13 chapters.
Each chapter builds on the end-to-end solution process that is required to implement
and secure Windows Server 2003 with SP1 in your environment. The first few chapters
describe how to build a foundation that will allow you to harden the servers in
your organization, and the rest of the chapters document the procedures that are
unique to each server role. Chapter 1: Introduction to the Windows Server 2003 Security Guide
This chapter introduces the Windows Server 2003 Security Guide
and includes a brief overview of each chapter. It describes the Legacy Client, Enterprise
Client, and Specialized Security – Limited Functionality environments and the computers
that run in them. Chapter 2: Windows Server 2003 Hardening Mechanisms
This chapter provides an overview of the main mechanisms that are used to harden
Windows Server 2003 SP1 in this guide—the Security Configuration Wizard (SCW) and
Active Directory Group Policy. It explains how SCW provides an interactive framework
to create, manage, and test security policies for Windows servers that serve in
different roles. It also evaluates the capabilities of SCW within the context of
the three environments that are described in Chapter 1.
The next part of this chapter provides high-level descriptions of Active Directory
design, organizational unit (OU) design, Group Policy Objects (GPOs), administrative
group design, and domain policy. These topics are discussed in the context of the
three environments that are described in Chapter 1 to provide a vision of an ideal
secure end-state environment.
This chapter concludes with a detailed examination of how this guide combines the
best features of SCW and traditional GPO-based approaches to harden Windows Server
2003 with SP1. Chapter 3: The Domain Policy
This chapter explains security template settings and additional countermeasures
for the domain-level policies in the three environments that are described in Chapter
1. The chapter does not focus on any specific server role, but on the specific policies
and settings that are useful for top-level domain policies. Chapter 4: The Member Server Baseline Policy
This chapter explains security template settings and additional countermeasures
for the different server roles in the three environments that are described in Chapter
1. The chapter focuses on how to establish a Member Server Baseline Policy (MSBP)
for the server roles that are discussed later in the guide.
The recommendations in this chapter are designed to allow organizations to safely
deploy setting configurations for both existing and new deployments of Windows Server
2003 with SP1. The default security configurations within Windows Server 2003 SP1
were researched and tested, and the recommendations in this chapter were determined
to provide greater security than the default operating system settings. Occasionally,
a less restrictive setting is suggested than the one that is present in the default
installation of Windows Server 2003 with SP1 to provide support for Legacy Client
environments. Chapter 5: The Domain Controller Baseline Policy
The domain controller server role is one of the most important roles to secure in
any Active Directory environment with computers that run Windows Server 2003 with
SP1. Any loss or compromise of a domain controller could seriously affect client
computers, servers, and applications that rely on domain controllers for authentication,
Group Policy, and a central lightweight directory access protocol (LDAP) directory.
This chapter describes the need to always store domain controllers in physically
secure locations that are accessible only to qualified administrative staff. The
hazards of domain controllers in unsecured locations such as branch offices are
addressed, and a significant portion of the chapter is devoted to an explanation
of the security considerations that are the basis for the recommended Domain Controller
Group Policy.
Active Directory domain controllers require a stable, properly configured DNS service.
By default, Windows Server 2003 with SP1 integrates DNS zones into Active Directory,
which allows domain controllers to run the DNS service and answer DNS requests for
clients in the Active Directory domain. This chapter assumes that the domain controller
will also provide DNS service and provides the appropriate guidance. Chapter 6: The Infrastructure Server Role
In this chapter, the infrastructure server role is defined as either a DHCP server
or a WINS server. Details are provided about how the Windows Server 2003 with SP1
infrastructure servers in your environment can benefit from security settings that
are not applied by the Member Server Baseline Policy (MSBP). This chapter does not
include configuration information for the DNS service, which is included in the
domain controller role. Chapter 7: The File Server Role
This chapter focuses on the File server role and the difficult aspects of how to
harden such servers. The most essential services for file servers require use of
Windows NetBIOS-related protocols and the SMB and CIFS protocols. The Server Message
Block (SMB) and Common Internet File System (CIFS) protocols are typically used
to provide access for authenticated users, but when improperly secured they can
also disclose rich information to unauthenticated users or attackers. Because of
this threat, these protocols are often disabled in high-security environments. This
chapter describes how file servers that run Windows Server 2003 with SP1 can benefit
from security settings that are not applied by the MSBP. Chapter 8: The Print Server Role
This chapter focuses on print servers. Like file servers, the most essential services
for print servers require use of Windows NetBIOS-related protocols and the SMB and
CIFS protocols. As stated earlier, these protocols are often disabled in high-security
environments. This chapter describes how Windows Server 2003 with SP1 print server
security settings can be strengthened in ways that are not applied by the MSBP. Chapter 9: The Web Server Role
This chapter describes how comprehensive security for Web sites and applications
requires an entire IIS server (including each Web site and application that runs
on the IIS server) to be protected from client computers in its environment. Web
sites and applications also must be protected from other Web sites and applications
that run on the same IIS server. Practices to ensure that these measures are achieved
by the IIS servers that run Windows Server 2003 with SP1 in your environment are
described in detail in this chapter.
IIS is not installed on members of the Microsoft Windows Server System™ family by
default. When IIS is initially installed, it is in a highly secure "locked" mode.
For example, the default settings only allow IIS to serve static content. Features
such as Active Server Pages (ASP), ASP.NET, Server-Side Includes, WebDAV publishing,
and Microsoft FrontPage® Server Extensions must be enabled by the administrator
through the Web Service Extensions node in Internet Information Services Manager
(IIS Manager).
Sections in this chapter provide details about a variety of settings you can use
to harden the IIS servers in your environment. The need to monitor, detect, and
respond to security issues is emphasized to ensure that the servers stay secure.
This chapter focuses on IIS Web protocols and applications, such as HTTP, and does
not include guidance on the other protocols that IIS can provide, such as SMTP,
FTP, and NNTP. Chapter 10: The IAS Server Role
Internet Authentication Servers (IAS) provide Remote Authentication Dial-In User
Services (RADIUS), a standards-based authentication protocol that is designed to
verify the identity of clients who access networks remotely. This chapter describes
ways in which IAS servers that run Windows Server 2003 with SP1 can benefit from
security settings that are not applied by the MSBP. Chapter 11: The Certificate Services Server Role
Certificate Services provide the cryptographic and certificate management services
that are needed to build a public key infrastructure (PKI) in your server environment.
This chapter describes ways in which Certificate Services servers that run Windows
Server 2003 with SP1 will benefit from security settings that are not applied by
the MSBP. Chapter 12: The Bastion Hosts Role
Bastion host servers are accessible to client computers from the Internet. In this
chapter, it is explained how these publicly exposed computers are susceptible to
attack from a large number of users who can remain completely anonymous if they
wish. Many organizations do not extend their domain infrastructure to the Internet.
For this reason, this chapter content focuses on how to harden stand-alone computers.
Details are provided about ways in which bastion hosts that run Windows Server 2003
with SP1 can benefit from the security recommendations in this guide for computers
that are not members of an Active Directory–based domain. Chapter 13: Conclusion
The concluding chapter of this guide reviews the important points of the material
that was presented in the previous chapters. Appendix A: Security Tools and Formats
Although this guide focuses on how to use SCW to create policies which are then
converted to security templates and Group Policy objects, there are a variety of
other tools and file formats that can be used to augment or replace this methodology.
This appendix provides a short list of these tools and formats. Appendix B: Key Settings to Consider
This guide discusses many security countermeasures and security settings, but it
is important to understand a small number of them are particularly important. This
appendix discusses the settings that will have the biggest impact on security of
computers that run Windows Server 2003 with SP1. Appendix C: Security Template Setting Summary
This appendix introduces the Microsoft Excel® workbook "Windows Server 2003 Security
Guide Settings," which is included with the tools and templates in the
downloadable version of this guide at http://go.microsoft.com/fwlink/?LinkId=14846.
This spreadsheet provides a comprehensive master reference in a compact, usable
form of all of the recommended settings for the three environments that are defined
in this guide. Appendix D: Testing the Windows Server 2003 Security Guide
This guide provides a significant amount of information about how to harden servers
that run Windows Server 2003 with SP1, but the reader is constantly cautioned to
test and validate all settings before they implement any settings in a production
environment.
This appendix provides guidance about how to create a suitable test lab environment
that can be used to help ensure successful implementation of the recommended settings
in a production environment. It helps users to perform necessary validation and
minimizes the amount of resources that are needed to do so. Tools and Templates
A collection of security templates, scripts, and additional tools are included with
the downloadable version of this guide to help your organization to evaluate, test,
and implement the recommended countermeasures. The security templates are text files
that can be imported into domain–based Group Policies or applied locally with the
Microsoft Management Console (MMC) Security Configuration and Analysis snap-in.
These procedures are detailed in Chapter 2, "Windows Server 2003 Hardening Mechanisms."
The scripts that are included with this guide include scripts to create and link
Group Policy objects as well as test scripts that are used to test the recommended
countermeasures. Also included is the Excel workbook that summarizes the security
template settings (referenced in the earlier "Appendix C" section).
The files that accompany this guide are collectively referred to as tools and templates.
These files are included in a .msi file within the self-extracting WinZip archive
that contains this guide, which is available on the Microsoft
Download Center at http://go.microsoft.com/fwlink/?LinkId=14846. When you
execute the .msi file, the following folder structure will be created in the location
you specify: - \Windows Server 2003 Security Guide Tools and Templates\Security Templates.
This folder contains all security templates that are discussed in the guide.
- \Windows Server 2003 Security Guide Tools and Templates\Test Tools. This
folder contains various files and tools that relate to "Appendix D: Testing the
Windows Server 2003 Security Guide."
Skills and Readiness
IT professionals who develop, deploy, and secure installations of Windows Server
2003 and Windows XP in an enterprise environment require the following knowledge
and skills: - MCSE 2000 or 2003 certification with more than two years of security-related experience.
-
In-depth knowledge of organizational domain and Active Directory environments.
-
Use of management tools, including the Microsoft Management Console (MMC), Secedit,
Gpupdate, and Gpresult.
- Experience in the administration of Group Policy.
-
Experience in the deployment of applications and workstation computers in enterprise
environments.
Software Requirements
The software requirements for the tools and templates that are documented in this
guide are: - Windows Server 2003 Standard Edition with SP1, Windows Server 2003 Enterprise Edition
with SP1, or Windows Server 2003 Datacenter Edition with SP1.
- A Windows Server
2003–based Active Directory domain.
- Microsoft Excel 2000 or later.
Style Conventions
This guide uses the following style conventions and terminology. Table 1.1 Style Conventions |
Element |
Meaning | | Bold font |
Signifies characters typed exactly as shown, including commands, switches, and file
names. User interface elements also appear in bold. | | Italic font |
Titles of books and other substantial publications appear in italic. | | <Italic> |
Placeholders set in italic and angle brackets <file name> represent
variables. | Monospace font |
Defines code and script samples. | | Note |
Alerts the reader to supplementary information. | | Important |
Alerts the reader to essential supplementary information. | Summary
This chapter provided an overview of the primary factors that are involved to secure
computers that run Windows Server 2003 with SP1, which are considered and discussed
in greater detail in the rest of the guide. Now that you understand how this guide
is organized, you can decide whether to read it from beginning to end or select
only those sections that interest you.
However, it is important to remember that effective and successful security operations
require improvements in all of the areas that are discussed in this guide, not just
a few. For this reason, Microsoft recommends that you read the entire guide to take
full advantage of all the information it contains to secure computers that run Windows
Server 2003 with SP1 in your organization. More Information
The following links provide additional information about topics that relate to security
and Windows Server 2003 with SP1. - For more information about security at Microsoft, see the
Trustworthy Computing page at www.microsoft.com/mscorp/twc/default.mspx.
-
For more details about how MOF can assist in your enterprise, see the
Microsoft Operations Framework page at http://technet.microsoft.com/en-us/library/cc506049.aspx.
-
For information about Microsoft security notifications, see the
Microsoft Security Bulletin Search page at www.microsoft.com/technet/security/current.aspx.
|