The Office of Information Technology - UTSA

This document should be rendered in an HTML format. If you are using an editor that does not show HTML documents please skip to page content, links on this page, and/or site navigation.

Copyright (c) 2007. The University of Texas at San Antonio. All rights reserved.

Information Security Office

Office of Information Technology
UTSA http://www.utsa.edu OIT Main Link
Security MainPoliciesSecurity NewsBest PracticesContact UsITA/ISA

Windows 2003 Server Security

 

Air Rowdy

1604 & DT Campus Classroom Tech Support

210.458.4520

1604 Campus Classroom Tech Support - After Hours

210.458.4529

DT Campus Classroom Tech Support - After Hours

210.458.2640

Computer Problems?

UTSA Helpdesk
210.458.5538

Student Computing Services

210.458.4557

Windows 2003 Server Checklist

This checklist contains server hardening procedures for Windows 2003 Server. The procedures listed in this document are a balance of industry best practices and the unique minimum requirements of UTSA’s computing environment. Since Windows 2003 Server does not come configured securely out of the box, it is necessary to follow these steps to prevent attacks from exploiting known vulnerabilities. In the event that the minimum requirements cannot be met, exceptions must be documented on this document in the area provided (Minimum Requirements Exceptions). In all cases this document must be retained for compliance and future reference. The checklist is available for download (Windows 2003 Checklist - DOC). The checklist should be downloaded and kept for your records for audit and compliance requirements.

 Keys to Security

Server Information

Hostname

 

IP Address

 

MAC Address

 

Asset Tag

 

Administrator

 

Phone #

Date

 

Server Classification

CAT 1 - 2 - 3

Preparation

Before installing Server 2003, please contact the Information Security Office for permission to add a server onto the UTSA network.  Once permission has been granted, the server will have a static IP Address assigned to your host.  The request for a static IP Address can be made online at http://www.utsa.edu/infotech/NS/iprequest.htm or by contacting the UTSA Help Desk (x5538).

Physical Security

Physical server security is as important as logical server security. The server console should be protected to maintain confidentiality, integrity and availability.

Step

Procedure

Initials

1

  

Access control mechanisms should be established to minimize physical access to the server.

  

CAT 1

The following access controls are required for servers containing Cat1 data or sensitive data as classified by the Data Classification Standard:

  • Electronic access control mechanisms must be in place to audit the access to the room where the server resides.
  • Access to the room should be minimized to authorized administrators of the system(s).
  • The console should be locked when not in use.
  • If the area where the server resides is an “open” unrestricted area, a rack system should be used to secure the server and a bios password needs to be configured.

CAT 2/3

The following access controls are required for servers containing Cat 2/3 data.

  • The console must be locked when not in use.
  • The server should reside in an area that has minimal access

Installation

If a server is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.  Consider using the Security Configuration Wizard to assist in hardening the host. 

Server Packs and Hot Fixes

Step

Procedure

Initials

2

  

Install the latest service packs and hotfixes from Microsoft

  

3

  

Enable automatic update notifications of patch availability or contact OIT to receive updates via the university Microsoft SUS Server.

  

4

  

Record the patch level to establish a baseline.  (use MS Baseline Analyzer http://www.microsoft.com/technet/security/tools/mbsahome.mspx)

  

Audit and Account Policies

Step

Procedure

Initials

5

  

Configure Audit Policy as described.

  

6

  

Set Password length and complexity as described below

  

7

  

Configure event log settings

  

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch02n.mspx

5.   Configure Audit Policy

Configure a strong audit policy.  Successful and failed logins, as well as privilege use, should be logged and monitored to detect any unauthorized activity. 

The UTSA Information Security Office recommends the following Auditing settings:

Recommended Settings

Audit account logon events

Success, Failure

  

Audit account management

Success, Failure

  

Audit directory service access

No auditing

  

Audit logon events

Success, Failure

  

Audit object access

No auditing

  

Audit policy change

Success, Failure

  

Audit privilege use

Success, Failure

  

Audit process tracking

No auditing

  

Audit system events

No auditing

  

6.  Set Password Length and Complexity

Use the Domain Security Policy (or Local Security Policy) snap-in to strengthen the system policies for password acceptance, including:

Recommended Settings

Enforce password history

10

  

Maximum password age

< 90

  

Minimum password age

2

  

Minimum password length

8

  

Password meets complexity requirements

Enable

  

Store passwords using reversible encryption

Disabled

  

7.  Configure Event Log

Recommended Settings

Maximum Application log size

16384

  

Maximum Security log size

16384

  

Maximum System log size

16384

  

Prevent local guests group from accessing application log

Enabled

  

Prevent local guests group from accessing security log

Enabled

  

Prevent local guests group from accessing system log

Enabled

  

Retention method for application, security, and system log

Overwrite as Needed

  

Security Settings

Step

Procedure

Initials

8

 

Disable local Guest Account

  

9

 

Disable anonymous SID/Name translation

  

10

 

Do not allow Anonymous enumeration of SAM accounts and shares

  

11

 

Ensure that the local Admin password meets password requirements listed below and as described in the Password Policy

  

12

 

Enable account lockout on the local Administrator account

  

13

 

Digitally Encrypt Secure Channel Data  (When possible)

  

14

 

Place the University warning banner in the Message Text for Users Attempting to log on (see optional banner messages below)

  

15

 

Disable the sending of unencrypted password to connect to Third-Party SMB Servers

  

16

 

Do not allow Everyone permissions to apply to anonymous users

  

17

 

Do not allow any named pipes to be accessed anonymously

  

18

 

Ensure that no shares can be accessed anonymously

 

19

 

Choose “Classic” as the sharing and security model for local accounts

  

20

 

Allow log on through Terminal Services must be limited to a specific group(s) ie. Remote Desktop Group

  

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch05n.mspx

11.  Local Administrator Password Length and Complexity

  • Password must contain at least 10 characters
  • Set a minimum password age of < 90
  • Set a password history maintenance
  • Password must contain both upper and lower case characters as well as letters
  • Password must contain special characters   
  • Passwords must not be based on personal information; must not be a word in any language, dialect, jargon, etc.

12.  Local Administrator Account Password Policy

  • Enable account lockout on the local administrator account
  • Rename the local Administrator account to something other than Administrator

14.     University Warning Banner

                              ******  University of Texas at San Antonio ******

                            Warning ! Warning ! Warning ! Warning !

 This system is for the use of authorized users only. Use of this computer without

explicit authority, or in access of authority, is subject to tracking, monitoring and

preservation of evidence.  As a result the individual may be subject to criminal prosecution

and/or disciplinary action.

Additional Security Protection

Step

Procedure

Initials

21

 

Disable or uninstall unused services

  

22

 

Disable or delete unused users

  

23

 

Ensure all volumes are using the NTFS file system

  

24

 

Use the Internet Connection Firewall or other methods to limit connections to the server.

  

25

 

Configure registry permissions as needed

  

26

 

Synchronize and configure your server with the UTSA campus time servers to set system time/date

  

27

 

Install and enable anti-virus software

  

28

 

Install and enable anti-spyware software

  

29

 

Configure anti-virus and anti-spyware software to update daily

  

30

 

Configure the device boot order to prevent unauthorized booting from alternate media.

  

31

 

Install software to check the integrity of critical operating system files

  

32

 

Configure RDP connections and access controls as described

  

33

 

Systems providing storage will adhere to the requirements established under the Data Classification Standards.

  

©The University of Texas at San Antonio One UTSA Circle San Antonio TX 78249
Revised: 02/01/2008
Refer Comments to: oit@utsa.edu
Identity Guidelines | Policies | Emergency Preparedness | Required Links