Solved

Server hardening document for Windows server 2003/2008/2008R2

Posted on 2014-03-20
3
6,828 Views
Last Modified: 2014-04-05
Hello team,

I want one best server hardening document which contains windows server 2003/ 2008/ 2008R2 hardening with windows firewall restrictions.
0
Comment
Question by:syinfra
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39941808
Baseline Server Hardening

•The base install of all operating system and post-operating system software comes from a trusted source.
•Servers are only connected to a completely trusted network during the install and hardening processes.
•The base install includes all current service packs and is reasonably current with regard to post-service pack updates.
•After the base install finishes, you must update the target servers.

If you follow these guidelines, you will begin the hardening process on servers that you have updated and built from trustworthy software sources.

Use of Group Policy and Security Templates in Basic Server Hardening

The application of Group Policy objects was covered in Group Policy Templates. The guidelines and templates described in that section will begin the process of basic server hardening. This section describes important security steps and addresses whether Group Policy can automatically implement them. In some cases, you need to customize a security template, using the generic instructions for modifying security templates found in the Group Policy Templates section to implement a recommendation.

Use NTFS Only

The Windows NTFS file system (NTFS) partitions offer access controls and protections that are not available with the file allocation table (FAT), FAT32, or FAT32x file systems. Make sure that you format all partitions on your server using NTFS. If necessary, use the Convert tool to convert your FAT partitions to NTFS.


Note

If you use the Convert tool, it will set the access control lists (ACLs) for the converted drive to Everyone: Full Control. Use the Fixacls.exe tool from the Microsoft Windows Server 2003 Resource Kit to reset the ACLs to values that are more reasonable and recommended in Best Practices for Centralized Management.

Use a Strong Password on the Administrator Account

Windows Server 2003 allows passwords of up to 127 characters. In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and nonprinting ASCII characters generated by using the ALT key and three-digit key codes on the numeric keypad) are stronger than alphabetic or alphanumeric-only passwords.

For maximum protection, ensure the Administrator account password is at least nine characters long and that it includes at least one punctuation mark or nonprinting ASCII character in the first seven characters. In addition, the Administrator account password should not be synchronized across multiple servers. You should use different passwords on each server to raise the level of security in the workgroup or domain.

Rename the Administrator Account

A very simple yet effective procedure that should be a standard part of the hardening process for all servers is to rename the built-in administrator account.

This account is the primary point for attacks, because if successful, the account provides the attacker with virtually unlimited rights. Rename the account, and create a new user account named Administrator that has not been granted special privileges. You should give this latter account a strong and complex password. You do not need to use this account; it merely serves as a decoy for attack efforts. Do this at the domain and local computer levels.

The best policy is to rename the Administrator account to a unique user name that is different on all servers; this minimizes the potential that somehow an attacker will be successful in determining that this new account is the Administrator account in disguise and also managing to crack its password. Because this account is so central to legitimate management tasks, you may view using unique names on every server as unmanageable in practice. In any case, the password for the disguised Administrator account should be unique and different from the other Administrator accounts in the enterprise.

Disable the Guest Account

By default, the Guest account is disabled on systems running Windows Server 2003. If the Guest account is enabled, you should disable it.

Set Account Lockout Policy

Windows Server 2003 includes an account lockout feature that will disable an account after a number of logon failures specified by an administrator. For maximum security, enable lockout after 3 to 5 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to Forever (until admin unlocks).

This is a part of Windows Server 2003 policy and is set in the Domain Security Policy tool, which you can find under Administrative Tools on a domain controller. Select Security Settings, then select Account Policies and click Account Lockout Policy. To set lockout duration to Forever, enter a "0." Because this is domain-wide policy, you only have to perform this action once.

For service providers who may want specialized account security, the Windows Server 2003 Resource Kit includes a tool that allows you to adjust some account properties that are not accessible through the normal management tools. This tool, Passprop.exe, allows you to lock out the administrator account using the /adminlockout switch.

Remove All Unnecessary File Shares

Remove all unnecessary file shares on the system to prevent possible information disclosure and to prevent malicious users from using the shares as an entry to the local system.

Set Appropriate ACLs on All Necessary File Shares

By default all users have Full Control permissions on newly created file shares. You should set ACLs on all shares that are required on the system so that users have the appropriate share-level access (for example, Everyone = Read).

Install Antivirus Software and Updates

You should use antivirus software and processes to keep up to date on the latest virus threats. Such protection will only offer value if it is both possible to install and execute code on the target computer; and the protection technology is able to detect and neutralize such efforts. Nevertheless, the ongoing discovery of system shortfalls - such as buffer overruns and the like - that allow a hostile entity to run rogue bits on a computer certainly makes a case for the use of antivirus software.


Note

The Hosted Messaging and Collaboration test result data has not included the potential impact of third-party virus scanning tools. The Hosted Messaging and Collaboration team performed all scalability and procedural testing without the installation of third-party virus scanning tools.

For more information on security viruses is available at the List of antivirus software vendors.

Security Templates

The Security Configuration Wizard Roles provided as part of the solution offer baseline security for your hosting environment. Guidance on applying more stringent policies is available from Microsoft in the Windows 2003 Security Guide and the Windows Server 2003 SP1 documentation.

Every server security conscious organization will have their own methods for maintaining adequate system and network security.
This will change from organization to organization
Some common server hardening tips & tricks include:

Use Data Encryption for your Communications
Avoid using insecure protocols that send your information or passwords in plain text.
Minimize unnecessary software on your servers.
Disable Unwanted SUID and SGID Binaries
Keep your operating system up to date, especially security patches.
Using security extensions is a plus.
.
 - User Accounts should have very strong passwords
 - Change passwords on a regular basis and do not reuse them
 - Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.
 - Do not permit empty passwords.
 - Minimize open network ports to be only what is needed for your specific circumstances.
  - Consider also using a hardware firewall
 - Separate partitions in ways that make your system more secure.
 - Disable unwanted binaries
 - Maintain server logs; mirror logs to a separate log server

 - Use brute force and intrusion detection systems
 - Limit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.
 - Maintain proper backups
 - Don't forget about physical server security
http://technet.microsoft.com/en-us/library/cc526440.aspx

PDF versions
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
http://infosecawareness.in/sysadmin/Windows-2008-Hardening.pdf

Mahesh
1
 

Author Comment

by:syinfra
ID: 39941916
Thanks a lot Mahesh. But if i get any checklist, it will be better for me.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39942012
Check below PDF for step by step checklist
https://www.ontariomd.ca/portal/server.pt/gateway/PTARGS_0_3897_0_0_18/Server_Hardening_Checklist.pdf

Also check server hardening templates from Dell
http://documents.software.dell.com/DOC22763

In reality you need to create your check list based on your requirements

Mahesh
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now