Support - Securing a New Installation of Windows Server 2003
This document can be used by systems administrators as a supplement for basic hardening of an out of the box installation of Windows Server 2003. This document is not intended to be a sole guide for securing your new installation of Windows 2003 Server. You should also consult other more in depth resources such as the Windows Server 2003 Security Guide provided by Microsoft.
- Post OS Installation
The following changes should be applied before the server is connected to the Internet.- Administrator Password
The first thing you should do after the installation of the OS is set a complex password for the Administrator account. Best practices call for a password containing upper and lower cases letters with a combination of numbers and symbols. For example: x8DL9@nY*.
If you are having trouble coming up with a random password run a quick Google search on "random password generator."
- Default Audit Policy
You should modify the default Audit Policy via the Local Security Settings Snap In. (Administrative Tools\Local Security Policy). The more logging you have enabled the better, but as a baseline you can use the following settings:
- Audit account logon events: Success, Failure
- Audit logon events: Success, Failure
- Audit system Events: Success, Failure
For a detailed explanation of each setting double click the property in question and select the "Explain This Setting" tab.
- Enable Windows Firewall
You should enable Windows Firewall if there is no external firewall device present in front of your new Windows 2003 Server.
You can enable Windows Firewall by right clicking on your Local Area Connection under Network Connections in the control panel. Select the Advanced tab under the Local Area Connection Properties and then select the "Settings" button under Windows Firewall. Be sure to make allowances for the services you need before applying your changes (such as Remote Desktop Protocol, FTP, HTTP, etc.).
- Install Specific Applications
You should install the specific applications needed on your Windows 2003 Server before running Windows update. This way you will not need to run Windows update more than once during the initial audit of the server (specific applications include IIS, SMTP, etc.). After the installation of specific applications you should configure them according to best practices. Microsoft provides documentation on their website related to installation, configuration, and hardening of specific Microsoft based applications.
- Stop Unnecessary Services
You should stop unnecessary services to reduce the number of possible attack vectors against this server. Common unnecessary services for servers include DHCP Client, Fax Service, Internet Connection Sharing, Intersite Messaging, Remote Registry Service, RunAs Service, Simple TCP/IP Services, Telnet, Utility Manager.
You should also un-install (if applicable) protocols such as IPX/SPX and NetBIOS unless required.
If this server is going to be a standalone server, you should disable File and Print Sharing on the properties of the Local Area Connection.
- Modify Folder Views
You should uncheck "Hide file extensions for known file types," as well as checking "Show hidden files and folders." This can be done by selecting the Tools Menu -> Folder Options from any Explorer Window. Once in the Folder Options property select the View tab and make the recommended changes.
- Install Anti Virus Software
You should install the antivirus solution of your choice. If you are in the dark about which to choose you can check out any of the following to see if they suit your needs: Trend Micro Server Protect, eEye's Blink, Panda Antivirus, CA Anti-Virus, etc. There are many options available for an anti virus solution - choose the one that best suits your needs.
You can now connect this server to the Internet after following the above steps.
- Administrator Password
- After Connecting to the Internet
- Microsoft Windows Update
Install the latest Windows Service Pack as well as all recommended operating system and software updates, by going to http://windowsupdate.microsoft.com
This would also be a good time to turn ON Windows Updates - you can configure the automatic Windows Updates to your liking. (Either download the updates, download and install the updates, notify me when updates are ready, etc.)
- Microsoft Baseline Security Analyzer
Install and run the MBSA. This application will identify missing security updates, common security misconfigurations, and correct anomalies as needed.
- Remote Scan of Server
This step is optional, but at this point it would be a good time to remotely scan this server with any vulnerability/port scanning tools of your liking. You should do this before the "bad guys" do. Everyone has their own preferred tools but at the least you should scan your new server with the Nessus Security Scanner and probe your server with nmap to see if there are any unused ports open.
- Microsoft Windows Update
- Conclusion
If your server will be hosting web applications available to the Internet, you should pay close attention to how these applications work and whether or not the code is written securely. A huge problem on the Internet today is SQL Injection. Even if you follow every guide available for locking down your server, a badly written web application vulnerable to SQL Injection can compromise the integrity of your server. For more information on protecting your code from SQL Injection see the article written by Adhost System Administrators: Protecting your code from SQL Injection.
Did you know that Adhost provides managed services for your dedicated server? Managed services include keeping your server and data secure as well as server monitoring and patching. Let the professional Systems Administrators at Adhost do the work for you! For more information see: http://www.adhost.com/colocation/managed.shtml or call 1-888-234-6781.
