Server Hardening Checklist
Windows 2003 Server Checklist
This checklist contains server hardening procedures for Windows 2003 Server. The procedures listed in this document are a balance of industry best practices and the unique minimum requirements of UTSA’s computing environment. Since Windows 2003 Server does not come configured securely out of the box, it is necessary to follow these steps to prevent attacks from exploiting known vulnerabilities. In the event that the minimum requirements cannot be met, exceptions must be documented on this document in the area provided (Minimum Requirements Exceptions). In all cases this document must be retained for compliance and future reference. The checklist is available for download (Windows 2003 Checklist - DOC). The checklist should be downloaded and kept for your records for audit and compliance requirements.
Server Information |
|||
Hostname |
|
||
IP Address |
|
||
MAC Address |
|
||
Asset Tag |
|
||
Administrator |
|
Phone # |
|
Date |
|
Server Classification |
CAT 1 - 2 - 3 |
Preparation
Before installing Server 2003, please contact the Information Security Office for permission to add a server onto the UTSA network. Once permission has been granted, the server will have a static IP Address assigned to your host. The request for a static IP Address can be made by contacting the OIT Support Serivces at 458-5555.
Physical Security
Physical server security is as important as logical server security. The server console should be protected to maintain confidentiality, integrity and availability.
Step |
√ |
Procedure |
Initials |
1 |
Access control mechanisms should be established to minimize physical access to the server. |
CAT 1
The following access controls are required for servers containing Cat1 data or sensitive data as classified by the Data Classification Standard:
- Electronic access control mechanisms must be in place to audit the access to the room where the server resides.
- Access to the room should be minimized to authorized administrators of the system(s).
- The console should be locked when not in use.
- If the area where the server resides is an "open" unrestricted area, a rack system should be used to secure the server and a bios password needs to be configured.
CAT 2/3
The following access controls are required for servers containing Cat 2/3 data.
- The console must be locked when not in use.
- The server should reside in an area that has minimal access
Installation
If a server is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. Consider using the Security Configuration Wizard to assist in hardening the host.
Server Packs and Hot Fixes
Step |
√ |
Procedure |
Initials |
2 |
Install the latest service packs and hotfixes from Microsoft |
||
3 |
Enable automatic update notifications of patch availability or contact OIT to receive updates via the university Microsoft SUS Server. |
||
4 |
Record the patch level to establish a baseline. (use MS Baseline Analyzer) |
Audit and Account Policies
Step |
√ |
Procedure |
Initials |
5 |
Configure Audit Policy as described. |
||
6 |
Set Password length and complexity as described below |
||
7 |
Configure event log settings |
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch02n.mspx
Configure Audit Policy
Configure a strong audit policy. Successful and failed logins, as well as privilege use, should be logged and monitored to detect any unauthorized activity.
The UTSA Information Security Office recommends the following Auditing settings:
Recommended Settings |
√ |
|
Audit account logon events |
Success, Failure |
|
Audit account management |
Success, Failure |
|
Audit directory service access |
No auditing |
|
Audit logon events |
Success, Failure |
|
Audit object access |
No auditing |
|
Audit policy change |
Success, Failure |
|
Audit privilege use |
Success, Failure |
|
Audit process tracking |
No auditing |
|
Audit system events |
No auditing |
|
Set Password Length and Complexity
Use the Domain Security Policy (or Local Security Policy) snap-in to strengthen the system policies for password acceptance, including:
Recommended Settings |
√ |
|
Enforce password history |
10 |
|
Maximum password age |
< 90 |
|
Minimum password age |
2 |
|
Minimum password length |
8 |
|
Password meets complexity requirements |
Enable |
|
Store passwords using reversible encryption |
Disabled |
|
Configure Event Log
Recommended Settings |
√ |
|
Maximum Application log size |
16384 |
|
Maximum Security log size |
16384 |
|
Maximum System log size |
16384 |
|
Prevent local guests group from accessing application log |
Enabled |
|
Prevent local guests group from accessing security log |
Enabled |
|
Prevent local guests group from accessing system log |
Enabled |
|
Retention method for application, security, and system log |
Overwrite as Needed |
|
Security Settings
Step |
√ |
Procedure |
Initials |
8 |
|
Disable local Guest Account |
|
9 |
|
Disable anonymous SID/Name translation |
|
10 |
|
Do not allow Anonymous enumeration of SAM accounts and shares |
|
11 |
|
Ensure that the local Admin password meets password requirements listed below and as described in the Password Policy |
|
12 |
|
Enable account lockout on the local Administrator account |
|
13 |
|
Digitally Encrypt Secure Channel Data (When possible) |
|
14 |
|
Place the University warning banner in the Message Text for Users Attempting to log on (see optional banner messages below) |
|
15 |
|
Disable the sending of unencrypted password to connect to Third-Party SMB Servers |
|
16 |
|
Do not allow Everyone permissions to apply to anonymous users |
|
17 |
|
Do not allow any named pipes to be accessed anonymously |
|
18 |
|
Ensure that no shares can be accessed anonymously |
|
19 |
|
Choose "Classic" as the sharing and security model for local accounts |
|
20 |
|
Allow log on through Terminal Services must be limited to a specific group(s) ie. Remote Desktop Group |
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch05n.mspx
Local Administrator Password Length and Complexity
- Password must contain at least 10 characters
- Set a minimum password age of < 90
- Set a password history maintenance
- Password must contain both upper and lower case characters as well as letters
- Password must contain special characters
- Passwords must not be based on personal information; must not be a word in any language, dialect, jargon, etc.
Local Administrator Account Password Policy
- Enable account lockout on the local administrator account
- Rename the local Administrator account to something other than Administrator
University Warning Banner
****** University of Texas at San Antonio ******
Warning ! Warning ! Warning ! Warning !
This system is for the use of authorized users only. Use of this computer without
explicit authority, or in access of authority, is subject to tracking, monitoring and
preservation of evidence. As a result the individual may be subject to criminal prosecution
and/or disciplinary action.
Additional Security Protection
Step |
√ |
Procedure |
Initials |
21 |
|
Disable or uninstall unused services |
|
22 |
|
Disable or delete unused users |
|
23 |
|
Ensure all volumes are using the NTFS file system |
|
24 |
|
Use the Internet Connection Firewall or other methods to limit connections to the server. |
|
25 |
|
Configure registry permissions as needed |
|
26 |
|
Synchronize and configure your server with the UTSA campus time servers to set system time/date |
|
27 |
|
Install and enable anti-virus software |
|
28 |
|
Install and enable anti-spyware software |
|
29 |
|
Configure anti-virus and anti-spyware software to update daily |
|
30 |
|
Configure the device boot order to prevent unauthorized booting from alternate media. |
|
31 |
|
Install software to check the integrity of critical operating system files |
|
32 |
|
Configure RDP connections and access controls as described |
|
33 |
|
Systems providing storage will adhere to the requirements established under the Data Classification Standards. |
Tools