Configuring Windows Server 2003 Security Settings
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
After installing Windows Server 2003, the security settings are configured so that the server is locked down. After installing IIS 6.0, evaluate the default security settings to determine whether they are sufficient for the Web sites and applications that your Web server hosts. You might need more stringent security requirements for Web sites and applications when the following is true:
Users on the Internet access the Web sites and applications.
Web sites and applications contain confidential information.
Configure Windows Server 2003 to more restrictive security settings by completing the following steps:
Rename the Administrator account.
The built-in account, Administrator, exists by default on every newly installed Web server. Potential attackers only have to guess the password for this well-known user account to exploit it. You can rename the Administrator user account to help protect your Web server from potential attackers. For more information about how to rename the Administrator user account, see Secure Windows Server 2003 Built-in Accounts.
Important During the default installation of Windows Server 2003, the Guest account is disabled. Ensure that the Guest account has not been enabled since the installation.
Format all disk volumes with the NTFS file system.
From a security perspective, the primary reason for requiring that all disk volumes are formatted with NTFS is that NTFS is the only file system supported by Windows Server 2003 that allows you to secure files and folders. FAT or FAT32 partitions cannot be secured.
Because the Web sites and applications are stored as files and folders on the Web server, NTFS helps prevent unauthorized users from directly accessing or modifying the files and folders that make up your Web sites and applications. For more information about the benefits of formatting disk volumes as NTFS on Web servers, see NTFS Permissions.
If any existing disk volumes are FAT or FAT32, convert the disk volumes to NTFS. For more information about how to convert existing disk volumes to NTFS, see Convert Existing Disk Volumes to NTFS.
Remove NTFS permissions that are granted to the Everyone group on the root folder of all disk volumes.
By default, the Everyone group is granted Read and Execute permissions on the root folder of each disk volume. The default permissions can pose a potential security threat for any newly created folders on the volumes because, unless explicitly denied, these permissions are inherited in any new folders. To help prevent this potential security problem, remove all permissions that are granted to the Everyone group on the root folder of all disk volumes.For more information about how to remove the permissions that are granted to the Everyone group on the root folder of each disk volume, see Secure the Root Folder of Each Disk Volume.
Important The Administrators group still has full control on the root folder of each disk volume. In Setting NTFS Permissions, later in this section, you will grant access to the Web site users by setting the appropriate NTFS permissions on the Web site content.
Remove any compilers or development environments.
If compilers or development environments are installed on production Web servers, potential attackers can use them to upload source files to a malicious program and then use the Web server to compile the malicious program. In many instances, the source files might not be perceived as a threat, whereas an executable file would be. You can remove any compilers and development environments to help ensure that potential attackers cannot remotely compile a malicious program and then run that malicious program on the Web server.
Consult the documentation of the compiler or development environment for information about how to remove them.
Disable NetBIOS over TCP/IP.
To prevent attackers from executing the NetBIOS Adapter Status command on a server, and reveal the name of the user who is currently logged on, disable NetBIOS over TCP/IP on public connections of the server.
Important Before you disable NetBIOS over TCP/IP, make sure that it doesn't affect the management tools that you use to manage the server and other applications running on the server. You can do this by disabling NetBIOS over TCP/IP on a test server before disabling it on your production servers.