Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution- on Commercial !icense. To view a cop" of this license# visit http$%%creativecommons.or&%licenses%b"-nc%2.'% or send a letter to Creative Commons# '() *oward +treet# 'th ,loor# +an ,rancisco# California# -(.0'# /+A.
Table of Contents
iii
Contents
,eedback......................................................................................0vi Chapter 1: Introduction to the Windows Server 2003 Security Guide. .1 1verview.......................................................................................... 20ecutive +ummar"........................................................................... 3ho +hould 4ead This 5uide..............................................................2 +cope of this 5uide...........................................................................2 Chapter +ummaries..........................................................................) Chapter .$ 6ntroduction to the 3indows +erver 200) +ecurit" 5uide. .( Chapter 2$ 3indows +erver 200) *ardenin& Mechanisms..................( Chapter )$ The 7omain 8olic".......................................................( Chapter ($ The Member +erver 9aseline 8olic"................................( Chapter '$ The 7omain Controller 9aseline 8olic"............................' Chapter 6$ The 6nfrastructure +erver 4ole......................................' Chapter :$ The ,ile +erver 4ole.....................................................' Chapter ;$ The 8rint +erver 4ole...................................................' Chapter -$ The 3eb +erver 4ole....................................................' Chapter .0$ The 6A+ +erver 4ole...................................................6 Chapter ..$ The Certificate +ervices +erver 4ole.............................6 Chapter .2$ The 9astion *osts 4ole...............................................6 Chapter .)$ Conclusion................................................................6 Appendi0 A$ +ecurit" Tools and ,ormats.........................................: Appendi0 9$ <e" +ettin&s to Consider............................................: Appendi0 C$ +ecurit" Template +ettin& +ummar".............................: Appendi0 7$ Testin& the 3indows +erver 200) +ecurit" 5uide...........: Tools and Templates....................................................................: +kills and 4eadiness..........................................................................; +oftware 4e=uirements.....................................................................; +t"le Conventions.............................................................................; +ummar"........................................................................................More 6nformation........................................................................Chapter 2: Windows Server 2003 Hardening Mechanis s..................10
1verview........................................................................................0 *ardenin& with the +ecurit" Confi&uration 3i>ard.................................0 Creatin& and Testin& 8olicies......................................................... 7eplo"in& 8olicies.......................................................................2 Appl" the 8olic" with the +C3 5/6..........................................2
iv
Appl" the 8olic" with the +cwcmd Command-line Tool................2 Convert the +C3 8olic" to a 5roup 8olic" 1b?ect.......................2 *ardenin& +ervers with Active 7irector" 5roup 8olic"............................) Active 7irector" 9oundaries.........................................................) +ecurit" 9oundaries..............................................................) Administrative 9oundaries......................................................( Active 7irector" and 5roup 8olic".................................................6 7ele&atin& Administration and Appl"in& 5roup 8olic".................6 Administrative 5roups...........................................................6 5roup 8olic" Application.........................................................: Time Confi&uration................................................................; +ecurit" Template Mana&ement..............................................+uccessful 581 Application 2vents.........................................20 +ever 4ole 1r&ani>ational /nits.............................................20 1/# 581# and 5roup 7esi&n........................................................2( 8rocess 1verview............................................................................2( Create the Active 7irector" 2nvironment.......................................2' Confi&ure Time +"nchroni>ation...................................................2' Confi&ure the 7omain 8olic".......................................................26 Create the 9aseline 8olicies Manuall" /sin& +C3...........................2: Test the 9aseline 8olicies /sin& +C3............................................2Convert the 9aseline 8olicies to 581s...........................................2Create the 4ole 8olicies /sin& +C3..............................................)0 Test the 4ole 8olicies /sin& +C3..................................................)0 Convert the 4ole 8olicies to 581s................................................). +ummar"......................................................................................). More 6nformation......................................................................)2 Chapter 3: !he "o ain #o$icy...........................................................33
1verview.......................................................................................)) 7omain 8olic"................................................................................)) 7omain 8olic" 1verview.............................................................)( Account 8olicies..............................................................................)( 8assword 8olic"..............................................................................)( 8assword 8olic" +ettin&s............................................................)' 2nforce password histor"......................................................)6 Ma0imum password a&e........................................................)6 Minimum password a&e........................................................): Minimum password len&th.....................................................):
Table of Contents
8assword must meet comple0it" re=uirements.........................); +tore password usin& reversible encr"ption.............................)*ow to 8revent /sers from Chan&in& a 8assword 20cept 3hen 4e=uired..................................................................................)Account !ockout 8olic"....................................................................(0 Account !ockout 8olic" +ettin&s...................................................(0 Account lockout duration.......................................................(0 Account lockout threshold.....................................................(. 4eset account lockout counter after........................................(2 <erberos 8olicies.............................................................................(2 +ecurit" 1ptions.............................................................................(2 +ecurit" 1ptions +ettin&s...........................................................() Microsoft network server$ 7isconnect clients when lo&on hours e0pire................................................................................() etwork Access$ Allow anon"mous +67% AM2 translation..........() etwork +ecurit"$ ,orce !o&off when !o&on *ours e0pire..........(( +ummar"......................................................................................(( More 6nformation......................................................................(' Chapter %: !he Me &er Server 'ase$ine #o$icy..................................%(
1verview.......................................................................................(6 3indows +erver 200) 9aseline 8olic".................................................(Audit 8olic"....................................................................................(Audit account lo&on events.........................................................'. Audit account mana&ement........................................................'2 Audit lo&on events.....................................................................') Audit ob?ect access....................................................................'' Audit polic" chan&e...................................................................': Audit process trackin&................................................................'Audit s"stem events..................................................................60 /ser 4i&hts Assi&nments..................................................................6. Access this computer from the network........................................6( Act as part of the operatin& s"stem..............................................6( Ad?ust memor" =uotas for a process............................................6' Allow lo& on locall"....................................................................6' Allow lo& on throu&h Terminal +ervices.........................................6' 9ack up files and directories........................................................6' 9"pass traverse checkin&...........................................................6' Chan&e the s"stem time.............................................................66 Create a pa&efile.......................................................................66
vi
Create a token ob?ect.................................................................66 Create &lobal ob?ects.................................................................66 Create permanent shared ob?ects................................................66 7ebu& pro&rams.......................................................................6: 7en" access to this computer from the network.............................6: 7en" lo& on as a batch ?ob.........................................................6: 7en" lo&on as a service..............................................................6; 7en" lo&on locall".....................................................................6; 7en" lo& on throu&h Terminal +ervices.........................................6; 2nable computer and user accounts to be trusted for dele&ation......6; ,orce shutdown from a remote s"stem.........................................65enerate securit" audits.............................................................66mpersonate a client after authentication......................................66ncrease schedulin& priorit"........................................................6!oad and unload device drivers...................................................6!ock pa&es in memor"...............................................................:0 !o& on as a service....................................................................:0 Mana&e auditin& and securit" lo&.................................................:0 Modif" firmware environment values............................................:0 8erform volume maintenance tasks..............................................:. 8rofile sin&le process.................................................................:. 8rofile s"stem performance.........................................................:. 4emove computer from dockin& station........................................:. 4eplace a process level token......................................................:. 4estore files and directories........................................................:2 +hut down the s"stem...............................................................:2 +"nchroni>e director" service data...............................................:2 Take ownership of files or other ob?ects........................................:2 +ecurit" 1ptions.............................................................................:2 Accounts +ettin&s......................................................................:) Accounts$ Administrator account status...................................:) Accounts$ 5uest account status.............................................:) Accounts$ !imit local account use of blank passwords to console lo&on onl"...........................................................................:( Audit +ettin&s...........................................................................:( Audit$ Audit the access of &lobal s"stem ob?ects.......................:( Audit$ Audit the use of 9ackup and 4estore privile&e.................:( Audit$ +hut down s"stem immediatel" if unable to lo& securit" audits................................................................................:'
Table of Contents
vii
7evices +ettin&s.......................................................................:' 7evices$ Allow undock without havin& to lo& on........................:' 7evices$ Allowed to format and e?ect removable media.............:' 7evices$ 8revent users from installin& printer drivers................:6 7evices$ 4estrict C7-41M access to locall" lo&&ed-on user onl"..:6 7evices$ 4estrict flopp" access to locall" lo&&ed-on user onl".....:6 7evices$ /nsi&ned driver installation behavior..........................:6 7omain Member +ettin&s...........................................................:: 7omain member$ 7i&itall" encr"pt or si&n secure channel data @alwa"sA.............................................................................:: 7omain member$ 7i&itall" encr"pt secure channel data @when possibleA.............................................................................:: 7omain member$ 7i&itall" si&n secure channel data @when possibleA.............................................................................:; 7omain member$ 7isable machine account password chan&es. . .:; 7omain member$ Ma0imum machine account password a&e......:; 7omain member$ 4e=uire stron& @3indows 2000 or laterA session ke"....................................................................................:; 6nteractive !o&on +ettin&s..........................................................:6nteractive lo&on$ 7ispla" user information when the session is locked................................................................................:6nteractive lo&on$ 7o not displa" last user name......................;0 6nteractive lo&on$ 7o not re=uire CT4!BA!TB72!.....................;0 6nteractive lo&on$ Messa&e te0t for users attemptin& to lo& on. . .;0 6nteractive lo&on$ Messa&e title for users attemptin& to lo& on. . .;0 6nteractive lo&on$ umber of previous lo&ons to cache @in case domain controller is not availableA..........................................;. 6nteractive lo&on$ 8rompt user to chan&e password before e0piration...........................................................................;. 6nteractive lo&on$ 4e=uire 7omain Controller authentication to unlock workstation...............................................................;. 6nteractive lo&on$ 4e=uire smart card.....................................;. 6nteractive lo&on$ +mart card removal behavior.......................;2 Microsoft etwork Client +ettin&s................................................;2
Microsoft network client$ 7i&itall" si&n communications @alwa"sA ;2 Microsoft network client$ 7i&itall" si&n communications @if server a&reesA..............................................................................;) Microsoft network client$ +end unencr"pted password to thirdpart" +M9 servers................................................................;) Microsoft etwork +erver +ettin&s...............................................;)
Microsoft network server$ Amount of idle time re=uired before suspendin& session..............................................................;)
viii
Microsoft network server$ 7i&itall" si&n communications @alwa"sA .........................................................................................;( Microsoft network server$ 7i&itall" si&n communications @if client a&reesA..............................................................................;( Microsoft network server$ 7isconnect clients when lo&on hours e0pire................................................................................;( etwork Access +ettin&s............................................................;' etwork access$ Allow anon"mous +67%name translation...........;6 etwork access$ 7o not allow anon"mous enumeration of +AM accounts.............................................................................;6 etwork access$ 7o not allow anon"mous enumeration of +AM accounts and shares.............................................................;6 etwork access$ 7o not allow stora&e of credentials or . 2T 8assports for network authentication......................................;: etwork access$ !et 2ver"one permissions appl" to anon"mous users.................................................................................;: etwork access$ amed 8ipes that can be accessed anon"mousl" .........................................................................................;: etwork access$ 4emotel" accessible re&istr" paths..................;; etwork access$ 4emotel" accessible re&istr" paths and sub-paths .........................................................................................;; etwork access$ 4estrict anon"mous access to amed 8ipes and +hares...............................................................................;; etwork access$ +hares that can be accessed anon"mousl".......;etwork access$ +harin& and securit" model for local accounts...;etwork +ecurit" +ettin&s..........................................................;etwork securit"$ 7o not store !A Mana&er hash value on ne0t password chan&e.................................................................-0 etwork securit"$ !A Mana&er authentication level.................-0
etwork securit"$ !7A8 client si&nin& re=uirements..................-. etwork securit"$ Minimum session securit" for T!M ++8 based @includin& secure 48CA clients................................................-. etwork securit"$ Minimum session securit" for T!M ++8 based @includin& secure 48CA servers...............................................-2 4ecover" Console +ettin&s..........................................................-2 4ecover" console$ Allow automatic administrative lo&on............-2 4ecover" console$ Allow flopp" cop" and access to all drives and all folders...........................................................................-2 +hutdown +ettin&s....................................................................-) +hutdown$ Allow s"stem to be shut down without havin& to lo& on .........................................................................................-) +hutdown$ Clear virtual memor" pa&e file...............................-) +"stem Cr"pto&raph" +ettin&s....................................................-(
Table of Contents
i0
+"stem cr"pto&raph"$ ,orce stron& ke" protection for user ke"s stored on the computer........................................................-( +"stem cr"pto&raph"$ /se ,68+ compliant al&orithms for encr"ption# hashin&# and si&nin&............................................-( +"stem 1b?ects +ettin&s.............................................................-( +"stem ob?ects$ 7efault owner for ob?ects created b" members of the Administrators &roup......................................................-' +"stem ob?ects$ 4e=uire case insensitivit" for non-3indows subs"stems.........................................................................-' +"stem ob?ects$ +tren&then default permissions of internal s"stem ob?ects @e.&. +"mbolic !inksA.................................................-' +"stem +ettin&s........................................................................-' +"stem settin&s$ 1ptional subs"stems....................................-6 +"stem settin&s$ /se Certificate 4ules on 3indows 20ecutables for +oftware 4estriction 8olicies..................................................-6 2vent !o&......................................................................................-6 Ma0imum application lo& si>e......................................................-: Ma0imum securit" lo& si>e..........................................................-: Ma0imum s"stem lo& si>e...........................................................-: 8revent local &uests &roup from accessin& application lo&...............-; 8revent local &uests &roup from accessin& securit" lo&....................-; 8revent local &uests &roup from accessin& s"stem lo&....................-; 4etention method for application lo&............................................-; 4etention method for securit" lo&................................................-4etention method for s"stem lo&.................................................-Additional 4e&istr" 2ntries...............................................................-+ecurit" Consideration for etwork Attacks..................................00
1ther 4e&istr" 2ntries...............................................................00 Confi&ure et961+ ame 4elease +ecurit"$ Allow the computer to i&nore et961+ name release re=uests e0cept from 36 + servers ........................................................................................02 7isable Auto 5eneration of ;.) ,ile ames$ 2nable the computer to stop &eneratin& ;.) st"le filenames........................................02 7isable Autorun$ 7isable Autorun for all drives........................02 Make +creensaver 8assword 8rotection 6mmediate$ The time in seconds before the screen saver &race period e0pires @0 recommendedA...................................................................02 +ecurit" !o& ear Capacit" 3arnin&$ 8ercenta&e threshold for the securit" event lo& at which the s"stem will &enerate a warnin&. .0) 2nable +afe 7!! +earch 1rder$ 2nable +afe 7!! search mode @recommendedA..................................................................0) Automatic 4eboot$ Allow 3indows to automaticall" restart after a s"stem crash......................................................................0(
Automatic !o&on$ 2nable Automatic !o&on..............................0( Administrative +hares$ 2nable Administrative +hares...............0( 7isable +aved 8asswords$ 8revent the dial-up password from bein& saved........................................................................0( 2nable 68+ec to protect <erberos 4+C8 Traffic$ 2nable o7efault20empt for 68+ec ,ilterin&.......................................0' 4estricted 5roups...........................................................................0' +ecurin& the ,ile +"stem.................................................................0' Additional +ecurit" +ettin&s.............................................................06 Manual *ardenin& 8rocedures.....................................................0: Manuall" Addin& /ni=ue +ecurit" 5roups to /ser 4i&hts Assi&nments.......................................................................0: +ecurin& 3ell-<nown Accounts..............................................0; +ecurin& +ervice Accounts....................................................0T,+.................................................................................0Terminal +ervices +ettin&s....................................................02rror 4eportin&.........................................................................0 2nable Manual Memor" 7umps...............................................0 Creatin& the 9aseline 8olic" /sin& +C3......................................... Test the 8olic" /sin& +C3...........................................................2 Convert and 7eplo" the 8olic".....................................................) +ummar".......................................................................................) More 6nformation.......................................................................) Chapter ): !he "o ain Contro$$er 'ase$ine #o$icy...........................11(
1verview.......................................................................................6 7omain Controller 9aseline 8olic"................................................6 Audit 8olic" +ettin&s........................................................................: Audit director" service access......................................................: /ser 4i&hts Assi&nment +ettin&s.......................................................; Access this computer from the network.........................................; Add workstations to domain........................................................Allow lo& on locall"....................................................................Allow lo& on throu&h Terminal +ervices........................................20 Chan&e the s"stem time............................................................20 2nable computer and user accounts to be trusted for dele&ation......2. !oad and unload device drivers...................................................2. 4estore files and directories.......................................................2. +hutdown the s"stem................................................................22 +ecurit" 1ptions............................................................................22
Table of Contents
0i
7omain Controller +ettin&s........................................................22 7omain controller$ Allow server operators to schedule tasks......22 7omain controller$ !7A8 server si&nin& re=uirements...............2) 7omain controller$ 4efuse machine account password chan&es. .2) etwork +ecurit" +ettin&s..........................................................2) etwork securit"$ 7o not store !A Mana&er hash value on ne0t password chan&e......................................................................2) 2vent !o& +ettin&s.........................................................................2( 4estricted 5roups...........................................................................2( Additional +ecurit" +ettin&s.............................................................2' Manuall" Addin& /ni=ue +ecurit" 5roups to /ser 4i&hts Assi&nments .............................................................................................2' 7irector" +ervices....................................................................26 4elocatin& 7ata D Active 7irector" 7atabase and !o& ,iles........26 4esi>in& Active 7irector" !o& ,iles.........................................26 /sin& +"ske"......................................................................2: Active 7irector"-6nte&rated 7 +.................................................2; 8rotectin& 7 + +ervers........................................................2; Confi&urin& +ecure 7"namic /pdates.....................................2!imitin& Eone Transfers to Authori>ed +"stems........................24esi>in& the 2vent !o& and 7 + +ervice !o&...........................)0 +ecurin& 3ell-<nown Accounts...................................................)0 +ecurin& +ervice Accounts.........................................................)0 Terminal +ervices +ettin&s.........................................................). 2rror 4eportin&........................................................................)2 Creatin& the 8olic" /sin& +C3.........................................................)2 Test the 8olic" /sin& +C3..........................................................)) Convert and 7eplo" the 8olic"....................................................)( +ummar"......................................................................................)( More 6nformation......................................................................)' Chapter (: !he In*rastructure Server +o$e.......................................13( 1verview......................................................................................)6 /ser 4i&hts Assi&nment +ettin&s......................................................): +ecurit" 1ptions............................................................................): 2vent !o& +ettin&s.........................................................................): Additional +ecurit" +ettin&s.............................................................): Confi&ure 7*C8 !o&&in&............................................................): 8rotect A&ainst 7*C8 7enial of +ervice Attacks.............................); +ecurin& 3ell-<nown Accounts...................................................);
0ii
+ecurin& +ervice Accounts.........................................................)Creatin& the 8olic" /sin& +C3.........................................................)Test the 8olic" /sin& +C3..........................................................(0 Convert and 7eplo" the 8olic"....................................................(. +ummar"......................................................................................(. More 6nformation......................................................................(2 Chapter ,: !he -i$e Server +o$e.......................................................1%3 1verview......................................................................................() Audit 8olic" +ettin&s.......................................................................() /ser 4i&hts Assi&nments.................................................................(( +ecurit" 1ptions............................................................................(( 2vent !o& +ettin&s.........................................................................(( Additional +ecurit" +ettin&s.............................................................(( +ecurin& 3ell-<nown Accounts...................................................(( +ecurin& +ervice Accounts.........................................................(' Creatin& the 8olic" /sin& +C3.........................................................(' Test the 8olic" /sin& +C3..........................................................(6 Convert and 7eplo" the 8olic"....................................................(: +ummar"......................................................................................(: More 6nformation......................................................................(: Chapter .: !he #rint Server +o$e.....................................................1%. 1verview......................................................................................(; Audit 8olic" +ettin&s.......................................................................(/ser 4i&hts Assi&nments.................................................................(+ecurit" 1ptions............................................................................(Microsoft network server$ 7i&itall" si&n communications @alwa"sA....(2vent !o& +ettin&s.........................................................................'0 Additional +ecurit" +ettin&s.............................................................'0 +ecurin& 3ell-<nown Accounts...................................................'0 +ecurin& +ervice Accounts.........................................................'0 Creatin& the 8olic" /sin& +C3.........................................................'. Test the 8olic" /sin& +C3..........................................................'2 Convert and 7eplo" the 8olic"....................................................'2 +ummar"......................................................................................') More 6nformation......................................................................') Chapter /: !he We& Server +o$e......................................................1)% 1verview......................................................................................'( Anon"mous Access and the ++!, +ettin&s.........................................''
Table of Contents
0iii
Audit 8olic" +ettin&s.......................................................................'' /ser 4i&hts Assi&nments.................................................................'6 +ecurit" 1ptions............................................................................'6 2vent !o& +ettin&s.........................................................................'6 Additional +ecurit" +ettin&s.............................................................'6 6nstallin& 1nl" ecessar" 66+ Components...................................'6
2nablin& 1nl" 2ssential 3eb +ervice 20tensions............................6( 8lacin& Content on a 7edicated 7isk Colume.................................6' +ettin& T,+ 8ermissions..........................................................66
+ettin& 66+ 3eb +ite 8ermissions................................................66 Confi&urin& 66+ !o&&in&.............................................................6: Manuall" Addin& /ni=ue +ecurit" 5roups to /ser 4i&hts Assi&nments .............................................................................................6; +ecurin& 3ell-<nown Accounts...................................................6+ecurin& +ervice Accounts.........................................................:0 Creatin& the 8olic" /sin& +C3.........................................................:0 Test the 8olic" /sin& +C3..........................................................:. Convert and 7eplo" the 8olic"....................................................:. +ummar"......................................................................................:2 More 6nformation......................................................................:2 Chapter 10: !he I0S Server +o$e.....................................................1,3 1verview......................................................................................:) Audit 8olic"...................................................................................:) /ser 4i&hts Assi&nments.................................................................:( +ecurit" 1ptions............................................................................:( 2vent !o&.....................................................................................:( Additional +ecurit" +ettin&s.............................................................:( +ecurin& 3ell-<nown Accounts...................................................:( +ecurin& +ervice Accounts.........................................................:' Creatin& the 8olic" /sin& +C3.........................................................:' Test the 8olic" /sin& +C3..........................................................:6 Convert and 7eplo" the 8olic"....................................................:: +ummar"......................................................................................:: More 6nformation......................................................................:; Chapter 11: !he Certi*icate Services Server +o$e.............................1,/ 1verview......................................................................................:Audit 8olic" +ettin&s.......................................................................;0 /ser 4i&hts Assi&nments.................................................................;0
0iv
+ecurit" 1ptions............................................................................;0 +"stem cr"pto&raph"$ /se ,68+ compliant al&orithms for encr"ption# hashin&# and si&nin&.................................................................;. 2vent !o& +ettin&s.........................................................................;. Additional 4e&istr" 2ntries...............................................................;. Additional +ecurit" +ettin&s.............................................................;2 ,ile +"stem AC!s......................................................................;2 +ecurin& 3ell-<nown Accounts...................................................;) +ecurin& +ervice Accounts.........................................................;( Creatin& the 8olic" /sin& +C3.........................................................;( Test the 8olic" /sin& +C3..........................................................;' Convert and 7eplo" the 8olic"....................................................;6 +ummar"......................................................................................;6 More 6nformation......................................................................;6 Chapter 12: !he 'astion Host +o$e..................................................1., 1verview......................................................................................;: 9astion *ost !ocal 8olic"............................................................;: Audit 8olic" +ettin&s.......................................................................;; /ser 4i&hts Assi&nments.................................................................;; 7en" access to this computer from the network............................;; +ecurit" 1ptions............................................................................;; 2vent !o& +ettin&s.........................................................................;Additional +ecurit" +ettin&s.............................................................;Manuall" Addin& /ni=ue +ecurit" 5roups to /ser 4i&hts Assi&nments .............................................................................................;+ecurin& 3ell-<nown Accounts...................................................-0 2rror 4eportin&........................................................................-0 Creatin& the 8olic" /sin& +C3.........................................................-. Test the 8olic" /sin& +C3..........................................................-2 6mplement the 8olic"................................................................-2 +ummar"......................................................................................-) More 6nformation......................................................................-) Chapter 13: Conc$usion...................................................................1/% More 6nformation......................................................................-' 0ppendi1 0: Security !oo$s and -or ats..........................................1/(
+ecurit" Tools................................................................................-6 +ecurit" Confi&uration 3i>ard.....................................................-6 +ecurit" Confi&uration 2ditor......................................................-6 Active 7irector" /sers and Computers.........................................-:
Table of Contents
0v
5roup 8olic" Mana&ement Console..............................................-: +ecurit" ,ile ,ormats......................................................................-: +C3 8olic" @.0mlA.....................................................................-: 8olic" Template @.infA................................................................-; 5roup 8olic" 1b?ects.................................................................-; 0ppendi1 ': 2ey Settings to Consider..............................................200 0ppendi1 C: Security !e p$ate Setting Su ary............................202
0ppendi1 ": !esting the Windows Server 2003 Security Guide........20% 1verview.....................................................................................20( +cope....................................................................................20( Test 1b?ectives........................................................................20( Test 2nvironment..........................................................................20' Testin& Methodolo&"......................................................................20: 8hases in a Test 8ass...............................................................20; Test 8reparation 8hase........................................................20; +ecurit" Confi&uration 9uild 8hase........................................20; Test 20ecution 8hase..........................................................2.. T"pes of Tests.........................................................................2.. Client +ide Tests ...............................................................2.. 7ocumentation 9uild Tests...................................................2.2 +cript Tests ......................................................................2.2 +erver +ide Tests ..............................................................2.2 8ass and ,ail Criteria................................................................2.2 4elease Criteria.......................................................................2.2 9u& Classification....................................................................2.) +ummar".....................................................................................2.( Acknowled&ments.........................................................................2.' Authors............................................................................2.' Content Contributors..........................................................2.' 8ro&ram Mana&ers.............................................................2.' 2ditors..............................................................................2.' 4elease Mana&ers..............................................................2.' Testers.............................................................................2.' 4eviewers.........................................................................2.' 1ther Contributors.............................................................2.6
,eedback
0vi
Feedback
The Microsoft Solutions for Security and Compliance team would appreciate your thoughts about this and other security solutions. Have an opinion? Let us know on the secguide s !ebLog at http"##blogs.technet.com#secguide. $r e%mail your feedback to the following address" secwishµsoft.com. !e look forward to hearing from you.
!ecutive Su""ary
!hatever your environment1 you are strongly advised to be serious about security issues. Many organi'ations underestimate the value of their information technology /3T0 environment1 often because they e9clude substantial indirect costs. 3f an attack on the servers in your environment is severe enough1 it could significantly damage the entire organi'ation. :or e9ample1 an attack in which your organi'ation;s !eb site is brought down could cause a ma7or loss of revenue or customer confidence1 which could affect your organi'ation;s profitability. !hen you evaluate security costs1 you should include the indirect costs that are associated with any attack in addition to the costs of lost 3T functionality. <ulnerability1 risk1 and e9posure analysis with regard to security informs you of the tradeoffs between security and usability that all computers are sub7ect to in a networked
environment. This guide documents the ma7or security countermeasures that are available in !indows Server *++, with S-.1 the vulnerabilities that they address1 and the potential negative conse=uences /if any0 of each countermeasure s implementation. The guide then provides specific recommendations about how to harden computers that run !indows Server *++, with S-. in three distinct enterprise environments. The Legacy Client /LC0 environment must support older operating systems such as !indows 6>. The ?nterprise Client /?C0 environment is one in which !indows *+++ is the earliest version of the !indows operating system in use. The third environment is one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve the highest level of security. This third environment is known as the Speciali'ed Security @ Limited :unctionality /SSL:0 environment. ?very effort has been made to make this information well organi'ed and easily accessible so that you can =uickly find and determine which settings are suitable for the computers in your organi'ation. Although this guide is targeted at the enterprise customer1 much of it is appropriate for organi'ations of any si'e. To get the most value out of the material1 you will need to read the entire guide. Bou can also refer to the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 at http"##go.microsoft.com#fwlink#?Link3d4.5.56. The team that produced this guide hopes that you will find the material covered in it useful1 informative1 and interesting.
The ?nterprise Client /?C0 environment consists of an Active Directory domain with member servers and domain controllers that run !indows Server *++, with S-. and client computers that run !indows *+++ and !indows 2-. The Speciali'ed Security @ Limited :unctionality /SSL:0 environment also consists of an Active Directory domain with member servers and domain controllers that run !indows Server *++, with S-. and clients that run !indows *+++ and !indows 2-. However1 the Speciali'ed Security @ Limited :unctionality settings are so restrictive that many applications may not function. :or this reason1 the servers; performance may be affected1 and it will be more of a challenge to manage the servers. Also1 client computers that are not secured by the SSL: policies could e9perience communication problems with client computers and servers that are secured by the SSL: policies. See the Windows XP Security Guide for information about how to secure client computers with SSL:%compatible settings.
Huidance about ways to harden computers in these three environments is provided for a group of distinct server roles. The countermeasures that are described and the tools that are provided assume that each server will have a single role. 3f you need to combine roles for some of the servers in your environment1 you can customi'e the security templates that are included in the download that accompanies this guide to create the appropriate combination of services and security options. The roles that are described in this guide include" Domain controllers 3nfrastructure servers :ile servers -rint servers 3nternet 3nformation Services /33S0 servers 3nternet Authentication Services /3AS0 servers Certificate Services servers Castion hosts
The recommended settings in this guide were tested thoroughly in lab environments that simulated the previously described Legacy Client1 ?nterprise Client1 and Speciali'ed Security @ Limited :unctionality environments. These settings were proven to work in the lab1 but it is important that your organi'ation test these settings in your own lab that accurately represents your production environment. 3t is likely that you will need to make some changes to the security templates and the manual procedures that are documented within this guide so that all of your business applications continue to function as e9pected. The detailed information that is provided in the companion guide1 Threats and Countermeasures Security Settin!s in Windows Server 2003 and Windows XP1 provides the information that you need to assess each specific countermeasure and to decide which of them are appropriate for your organi'ation s uni=ue environment and business re=uirements.
Chapter Su""aries
The Windows Server 2003 Security Guide consists of ., chapters. ?ach chapter builds on the end%to%end solution process that is re=uired to implement and secure !indows Server *++, with S-. in your environment. The first few chapters describe how to build a foundation that will allow you to harden the servers in your organi'ation1 and the rest of the chapters document the procedures that are uni=ue to each server role.
'
applications also must be protected from other !eb sites and applications that run on the same 33S server. -ractices to ensure that these measures are achieved by the 33S servers that run !indows Server *++, with S-. in your environment are described in detail in this chapter. 33S is not installed on members of the Microsoft !indows Server System) family by default. !hen 33S is initially installed1 it is in a highly secure GlockedG mode. :or e9ample1 the default settings only allow 33S to serve static content. :eatures such as Active Server -ages /AS-01 AS-.8?T1 Server%Side 3ncludes1 !ebDA< publishing1 and Microsoft :ront-age( Server ?9tensions must be enabled by the administrator through the !eb Service ?9tensions node in 3nternet 3nformation Services Manager /33S Manager0. Sections in this chapter provide details about a variety of settings you can use to harden the 33S servers in your environment. The need to monitor1 detect1 and respond to security issues is emphasi'ed to ensure that the servers stay secure. This chapter focuses on 33S !eb protocols and applications1 such as HTT-1 and does not include guidance on the other protocols that 33S can provide1 such as SMT-1 :T-1 and 88T-.
The files that accompany this guide are collectively referred to as tools and templates. These files are included in a .msi file within the self%e9tracting !inMip archive that contains this guide1 which is available on the Microsoft Download Center at http"##go.microsoft.com#fwlink#?Link3d4.E>EL. !hen you e9ecute the .msi file1 the following folder structure will be created in the location you specify" \Windows Server 2003 Security Guide Tools and Templates\Security Templates. This folder contains all security templates that are discussed in the guide. \Windows Server 2003 Security Guide Tools and Templates\Test Tools. This folder contains various files and tools that relate to GAppendi9 D" Testing the !indows Server *++, Security Huide.G
So&tware $e5uire"ents
The software re=uirements for the tools and templates that are documented in this guide are" !indows Server *++, Standard ?dition with S-.1 !indows Server *++, ?nterprise ?dition with S-.1 or !indows Server *++, Datacenter ?dition with S-.. A !indows Server *++,@based Active Directory domain. Microsoft ?9cel *+++ or later.
Sty#e Conventions
This guide uses the following style conventions and terminology. Table 1 1 Style Conventions !lement #old font Meanin" Signifies characters typed e9actly as shown1 including commands1 switches1 and file names. Jser interface elements also appear in bold. Titles of books and other substantial publications appear in italic.
"ta#ic font
Meanin" -laceholders set in italic and angle brackets $fi#e name% represent variables. Defines code and script samples. Alerts the reader to supplementary information. Alerts the reader to essential supplementary information.
Su""ary
This chapter provided an overview of the primary factors that are involved to secure computers that run !indows Server *++, with S-.1 which are considered and discussed in greater detail in the rest of the guide. 8ow that you understand how this guide is organi'ed1 you can decide whether to read it from beginning to end or select only those sections that interest you. However1 it is important to remember that effective and successful security operations re=uire improvements in all of the areas that are discussed in this guide1 not 7ust a few. :or this reason1 Microsoft recommends that you read the entire guide to take full advantage of all the information it contains to secure computers that run !indows Server *++, with S-. in your organi'ation.
)ore In&or"ation
The following links provide additional information about topics that relate to security and !indows Server *++, with S-.. :or more information about security at Microsoft1 see the Trustworthy Computing page at www.microsoft.com#mscorp#twc#default.msp9. :or more details about how M$: can assist in your enterprise1 see the Microsoft $perations :ramework page at www.microsoft.com#technet#itsolutions#cits#mo#mof#default.msp9. :or information about Microsoft security notifications1 see the Microsoft Security Culletin Search page at www.microsoft.com#technet#security#current.asp9.
This information provides a foundation and a vision that you can use to evolve from a Legacy Client /LC0 environment to a Speciali'ed Security @ Limited :unctionality /SSL:0 environment within a domain infrastructure.
..
Keduce protocol e9posure to the server message block /SMC0%based protocols1 8etC3$S1 Common 3nternet :ile System /C3:S01 and Lightweight Directory Access -rotocol /LDA-0. Create useful Audit policies that capture the events of interest.
Detailed instructions about how to install1 use1 and troubleshoot SC! are available in a downloadable version of the Security Configuration !i'ard Documentation at www.microsoft.com#downloads#details.asp9?:amily3D46+,fdE6L%6eb6%EaE5%aa++% ,f*f*+fdL.N.Odisplaylang4en.
3ote: +C3 can onl" be used with 3indows +erver 200) with +8.. 6t cannot be used to create policies for 3indows 2000 +erver# 3indows F8# or 3indows +mall 9usiness +erver 200). To harden si&nificant numbers of computers that run these operatin& s"stems# "ou will need to take advanta&e of the 5roup 8olic"Dbased hardenin& mechanisms described later in this chapter.
SC! advises the administrator about some of the most important registry settings. To reduce the comple9ity of the tool1 the designers chose to only include those settings that have the greatest impacts on security. However1 this guide discusses many more registry settings. To overcome the limitations of SC!1 you can combine security templates with the results of SC! to create a more complete configuration. !hen you use SC! to create a new policy1 it uses the current configuration of a server as an initial configuration. Therefore1 you should target a server of the same type as the servers on which you intend to deploy the policy so that you can accurately describe the configuration of the server s roles. !hen you use the SC! graphical user interface /HJ30
.2
to create a new policy1 it creates an 2ML file and saves it in the $systemdir $\security\msscw\%olicies folder by default. After you create your policies1 you can use either the SC! HJ3 or the Scwcmd command%line tool to apply the policies to your test servers. !hen you test the policies1 you may need to remove a policy that you deployed. Bou can use either the HJ3 or the command%line tool to roll back the last policy you applied to a server or group of servers. SC! saves the previous configuration settings in 2ML files. :or organi'ations that have limited resources to design and test security configurations1 SC! may be sufficient. Those organi'ations that lack such resources should not even attempt to harden servers1 because such efforts often result in une9pected problems and lost productivity. 3f your organi'ation does not have the e9pertise and time available to deal with these types of issues1 then you should focus on other important security activities such as application and operating system upgrades to current versions and update management.
*ep#oyin( +o#icies
There are three different options you can use to deploy your policies" Apply the policy with the SC! HJ3 Apply the policy with the Scwcmd command%line tool Convert the SC! policy to a Hroup -olicy ob7ect and link it to a domain or $J
?ach option has its own advantages and drawbacks1 which are described in the following subsections.
.)
-olicies are replicated1 deployed1 and applied with familiar Active Directory@based mechanisms. Cecause they are native H-$s1 policies can be used with $Js1 policy inheritance1 and incremental policies to fine%tune the hardening of servers that are configured similarly but not e9actly the same as other servers. !ith Hroup -olicy1 you put these servers in a child $J and apply an incremental policy1 whereas with SC! you would need to create a new policy for each uni=ue configuration. -olicies are automatically applied to all servers that are placed in the corresponding $Js. 8ative SC! policies must be either manually applied or used in con7unction with some custom scripting solution.
Security #oundaries
Security boundaries help define the autonomy or isolation of different groups within an organi'ation. 3t is difficult to balance the tradeoffs between ade=uate security /based on how the organi'ation;s business boundaries are established0 and the need to maintain a consistent level of base functionality. To successfully achieve this balance1 you must weigh the threats to your organi'ation against the security implications of delegated administration permissions and other choices that involve your environment s network architecture.
.(
The forest is the true security boundary of your network environment. This guide recommends that you create separate forests to keep your environment secure from potential compromise by administrators of other domains. This approach also helps ensure that the compromise of one forest does not automatically lead to the compromise of the entire enterprise. A domain is a management boundary of Active Directory1 not a security boundary. !ith an organi'ation of well%intentioned individuals1 a domain boundary will provide autonomous management of services and data within each domain of the organi'ation. Jnfortunately1 with regard to security1 isolation is not so simple to achieve. A domain1 for e9ample1 will not completely isolate an attack from a rogue domain administrator. This level of separation can only be achieved at the forest level. !ithin the domain1 the organi'ational unit /$J0 provides another level of management boundary. $Js provide a fle9ible way to group related resources and delegate management access to the appropriate personnel without providing them the ability to manage the entire domain. Like domains1 $Js are not a true security boundary. Although you can assign permissions to an $J1 all $Js in the same domain authenticate resources against the domain and forest resources. Still1 a well%designed $J hierarchy will aid the development1 deployment1 and management of effective security measures. Bour organi'ation may need to consider divided administrative control of services and data within the current Active Directory design. ?ffective Active Directory design re=uires that you completely understand your organi'ation s re=uirements for service autonomy and isolation as well as for data autonomy and isolation.
&dministrative #oundaries
Cecause of the potential need to segment services and data1 you must define the different administration levels that are re=uired. 3n addition to administrators who may perform uni=ue services for your organi'ation1 this guidance recommends that you consider the following types of administrators.
Service Administrators
Active Directory service administrators are responsible for the configuration and delivery of the directory service. :or e9ample1 service administrators maintain domain controller servers1 control directory%wide configuration settings1 and ensure service availability. Bou should consider the Active Directory administrators in your organi'ation to be your service administrators. The Active Directory service configuration is often determined by attribute values. These attribute values correspond to settings for their respective ob7ects1 which are stored in the directory. Conse=uently1 service administrators in Active Directory are also data administrators. Bour organi'ational needs may re=uire you to consider other service administrator groups for your Active Directory service design. Some e9amples include" A domain administration group that is primarily responsible for directory services. The forest administrator chooses the group to administer each domain. Cecause of the high%level access that is granted to the administrator for each domain1 these administrators should be highly trusted individuals. The domain administrators control the domains through the -omain &dministrators group and other built%in groups. Hroups of administrators who manage D8S. The D8S administrator group completes the D8S design and manages the D8S infrastructure. The D8S administrator manages the D8S infrastructure through the -.S &dministrators group. Hroups of administrators who manage $Js.
.'
The $J administrator designates a group or individual as a manager for each $J. ?ach $J administrator manages the data that is stored within the assigned Active Directory $J. These groups can control how administration is delegated1 and how policy is applied to ob7ects within their $Js. $J administrators can also create new subtrees and delegate administration of the $Js for which they are responsible. Hroups of administrators who manage infrastructure servers. The group that is responsible for infrastructure server administration manages !38S1 DHC-1 and potentially the D8S infrastructure. 3n some cases1 the group that handles domain management will manage the D8S infrastructure because Active Directory is integrated with D8S and is stored and managed on the domain controllers.
Data Administrators
Active Directory data administrators manage data that is stored in Active Directory or on computers that are 7oined to Active Directory. These administrators have no control over the configuration or delivery of the directory service. Data administrators are members of a security group that is created by your organi'ation. Sometimes the default security groups in !indows do not make sense for all situations in the organi'ation. Therefore1 organi'ations can develop their own security group naming standards and meanings to best fit their environment. Some of the data administrators daily tasks include" Control a subset of ob7ects in the directory. Through inheritable attribute%level access control1 data administrators can be granted control of very specific sections of the directory but no control over the configuration of the service itself. Manage member computers in the directory and the data that is on those computers.
3ote$ 6n man" cases# attribute values for ob?ects that are stored in the director" determine the director"Gs service confi&uration.
To summari'e1 before the owners of Active Directory service and directory structures are allowed to 7oin a forest or domain infrastructure1 the organi'ation must trust all service administrators in the forest and all domains. Also1 enterprise security programs must develop standard policies and procedures that perform appropriate background checks for the administrators. 3n the conte9t of this security guide1 to trust service administrators means to" Keasonably believe that service administrators will primarily concern themselves with the organi'ation s best interests. $rgani'ations should not elect to 7oin a forest or domain if the owners of that forest or domain might have legitimate reasons to act maliciously against the organi'ation. Keasonably believe that service administrators will follow best practices and restrict physical access to the domain controllers. Jnderstand and accept the risks to the organi'ation that include the possibility for" /o"ue administrators. Trusted administrators might become rogue administrators and abuse the privileges they have on the network. A rogue administrator within a forest could easily look up the security identifier /S3D0 for another administrator from another domain. The rogue administrator could then use an application programming interface /A-30 tool1 disk editor1 or debugger to add the stolen S3D to the S3D History list of an account within their own domain. !ith the stolen S3D added to the user s S3D History1 the rogue administrator would have administrative privileges in the stolen S3D s domain as well as their own domain. Coerced administrators. A trusted administrator might be coerced or compelled to perform operations that breach the security of a computer or the network. A user or administrator may use social engineering techni=ues or threats of
.6
physical or other harm on legitimate administrators of a computer to obtain the information that is needed to gain access to the computer. Some organi'ations might accept the risk of a security breach by a rogue or a coerced service administrator from another part of the organi'ation. Such organi'ations might determine that the collaborative and cost%saving benefit of participating in a shared infrastructure outweighs this risk. However1 other organi'ations might not accept the risk because the potential conse=uences of a security breach are too severe.
&dministrative Groups
Administrators can create administrative groups to segment clusters of users1 security groups1 or servers into containers for autonomous administration. :or e9ample1 consider the infrastructure servers that reside in a domain. 3nfrastructure servers include all of the non%domain controllers that run basic network services1 including servers that provide !38S and DHC- services. $ftentimes an operations group or an infrastructure administration group maintains these servers. Bou can use an $J to easily provide administrative capabilities to these servers. The following illustration provides a high%level view of such an $J configuration.
.:
0i"ure 2 1 +( dele"ation of administration !hen the )nfrastructure &dmin group is delegated control of the 3nfrastructure $J1 the members of this group will have full control of the 3nfrastructure $J and all servers and ob7ects within the $J. This capability allows members of the group to secure the server roles with Hroup -olicy. This approach is only one way that $Js can be used to provide administrative segmentation. :or more comple9 organi'ations1 see the GMore 3nformationG section at the end of this chapter.
3ote: 9ecause Active 7irector" depends so heavil" on 7 +# it is common practice to run the 7 + service on domain controllers. 7omain controllers are placed in the built-in 7omain Controllers 1/ b" default. The e0amples in this &uide follow this practice# so the infrastructure server role does not include the 7 + service.
.;
0i"ure 2 2 G%+ application 'ierarc'y As seen in the illustration1 policies are applied first at the local policy level of the computer. After that1 any H-$s are applied at the site level1 and then at the domain level. 3f the server is nested in several $Js1 H-$s that e9ist at the highest level $J are applied first. The H-$ application process continues down the $J hierarchy. The final H-$ to be applied is at the child $J level that contains the server ob7ect. The order of precedence for processing Hroup -olicy e9tends from the highest $J /farthest from the user or computer account0 to the lowest $J /the one that actually contains the user or computer account0. Kemember the following basic considerations when you apply Hroup -olicy" Bou must set the H-$ application order for Hroup -olicy levels with multiple H-$s. 3f multiple policies specify the same option1 the last one that is applied will take precedence. Bou must configure a Hroup -olicy with the .o +verride option if you do not want other H-$s to override it. 3f you use the Hroup -olicy Management Console /H-MC0 to manage your H-$s1 the name of this option is !nforced.
Time Confi"uration
Many security services1 especially authentication1 rely on an accurate computer clock to perform their 7obs. Bou should ensure computer time is accurate and that all servers in your organi'ation use the same time source. The !indows Server *++, !,*Time service provides time synchroni'ation for !indows Server *++, and Microsoft !indows 2-@based computers that run in an Active Directory domain. The !,*Time service synchroni'es the clocks of !indows Server *++,@based computers with the domain controllers in a domain. This synchroni'ation is necessary for the Ferberos protocol and other authentication protocols to work properly. To function correctly1 a number of !indows Server family components rely on accurate and synchroni'ed time. 3f the clocks are not synchroni'ed on the clients1 the Ferberos authentication protocol might deny access to users.
.-
Another important benefit that time synchroni'ation provides is event correlation on all of the clients in your enterprise. Synchroni'ed clocks on the clients in your environment ensure that you can correctly analy'e events that take place in uniform se=uence on those clients throughout the organi'ation. The !,*Time service uses the 8etwork Time -rotocol /8T-0 to synchroni'e clocks on computers that run !indows Server *++,. 3n a !indows Server *++, forest1 time is synchroni'ed by default in the following manner" The primary domain controller /-DC0 emulator operations master in the forest root domain is the authoritative time source for the organi'ation. All -DC operation masters in other domains in the forest follow the hierarchy of domains when they select a -DC emulator with which to synchroni'e their time. All domain controllers in a domain synchroni'e their time with the -DC emulator operations master in their domain as their inbound time partner. All member servers and client desktop computers use the authenticating domain controller as their inbound time partner.
To ensure that the time is accurate1 the -DC emulator in the forest root domain can be synchroni'ed to an authoritative time source1 such as a reliable 8T- source or a highly accurate clock on your network. 8ote that 8T- synchroni'ation uses JD- port .*, traffic. Cefore you synchroni'e with an e9ternal server1 you should weigh the benefits of opening this port against the potential security risk. Also1 if you synchroni'e with an e9ternal server that you do not control1 you risk configuring your servers with the incorrect time. The e9ternal server could be compromised or spoofed by an attacker to maliciously manipulate the clocks on your computers. As e9plained earlier1 the Ferberos authentication protocol re=uires synchroni'ed computer clocks. 3f they are not synchroni'ed1 a denial of service may occur.
20
2.
make it as restrictive as possible and segment any servers that need to differ from this policy into separate server%specific $Js.
As mentioned earlier in this chapter1 this approach is only one of many ways to create an $J structure that you can use to deploy H-$s. :or more information about how to create $Js for Hroup -olicy implementation1 see GDesigning the Active Directory StructureG and related topics at www.microsoft.com#resources#documentation#!indows#*+++#server# reskit#en%us#deploy#dgbdPadsPhe=s.asp?frame4true. The following table lists the !indows Server *++, server roles and corresponding template files that are defined in this guide. The security template file names are prefi9ed with the $&nv% variable1 which would be replaced by LC /for Legacy Client01 ?C /for ?nterprise Client01 or SSL: /for Speciali'ed Security @ Limited :unctionality0 as appropriate. Table 2 1 Windows Server 2003 Server /oles Server role Member server -escription Security template file name
All servers that are members of $&nv%'Member Server the domain and reside in or Caseline.inf below the Member Servers $J. All Active Directory domain controllers. These servers are also D8S servers. All locked down !38S and DHC- servers. All locked down file servers. All locked down print servers. All locked down 33S web servers. All locked down 3AS servers. $&nv%'Domain Controller.inf
Domain controller
3nfrastructure server :ile server -rint server !eb server 3AS server
$&nv%'3nfrastructure Server.inf $&nv%':ile Server.inf $&nv%'-rint Server.inf $&nv%'!eb Server.inf $&nv%'3AS Server.inf
22
-escription All locked down Certification Authority /CA0 servers. All 3nternet%facing servers.
All template files e9cept those for the bastion host servers are applied to the corresponding child $Js. ?ach of these child $Js re=uire that you apply the specific configuration to define the role that each computer will fulfill in the organi'ation. The security re=uirements for each of these server roles are different. Appropriate security settings for each role are discussed in detail in later chapters. 8ote that not all roles have templates that correspond to all environments. :or e9ample1 the bastion host role is always considered to be in the SSL: environment.
I portant$ This &uide assumes that computers that run 3indows +erver 200) will perform specificall" defined roles. 6f the servers in "our or&ani>ation do not match these roles# or if "ou have multipurpose servers# use the settin&s that are defined here as &uidelines for "our own securit" templates. *owever# remember that the more functions that each of "our servers perform# the more vulnerable the" are to attack.
An e9ample of the final $J design to support these defined server roles in the ?C environment is shown in the following illustration.
2)
2(
?ach administrative group was created as a global group within the domain by the -omain !n"ineerin" members1 who are responsible for Active Directory infrastructure and security. They used the corresponding H-$ to add each of these administrative groups to the appropriate restricted group. The administrative groups that are listed in the table will only be members of the 2ocal &dministrators group for the computers that are located in the $Js that specifically contain computers that are related to their 7ob functions. :inally1 the -omain !n"ineerin" members set permissions on each H-$ so that only administrators in their group are able to edit them. 8ote that the creation and configuration of these groups is a part of your overall Active Directory design and implementation process. 3t is not part of this guide.
+rocess Overview
This guide combines the strengths of the SC!%based and Hroup -olicy%based approaches. This hybrid approach allows you to create and test security configurations more easily1 but still provides the fle9ibility and scalability that is re=uired in large !indows networks. The process that is used to create1 test1 and deploy the policies is as follows" .. Create the Active Directory environment1 including groups and $Js. Bou should create the appropriate administrative groups and delegate $J permissions to the corresponding groups. *. Configure time synchroni'ation on the domain controller that hosts the -DC ?mulator :SM$. ,. Configure the domain policies. E. Create the baseline policies with SC!.
2'
5. Test the baseline policies with SC!. L. Convert the baseline policies to H-$s and link them to the appropriate H-$s. N. Create the role policies with SC! and the included security templates. >. Test the role policies with SC!. 6. Convert the role policies to H-$s and link them to the appropriate H-$s. The following sections describe these steps in greater detail.
3ote$ ,or simplicit"# the e0amples in this section assume the use of the 2nterprise Client @2CA environment. 6f "ou use one of the other two environments# substitute the appropriate file names. The differences between the three environments and their functionalit" are discussed in Chapter .# H6ntroduction to the 3indows +erver 200) +ecurit" 5uide.H
nviron"ent
Cefore you can begin the hardening process1 you must have an appropriate Active Directory domain and $J structure in place. The following procedure lists the steps that you will use to create the $Js and groups that are used in this guide and configure them for the appropriate administrative access. .. $pen the MMC Active Directory Jsers Computers snap%in /Dsa.msc0. *. 3n the root of the domain ob7ect1 create an $J called Member Servers. ,. 8avigate to this new $J and create a child $J within it called 3nfrastructure. E. Move all !38S and DHC- servers into the 3nfrastructure $J. 5. Create a global security group called )nfrastructure &dmins and add the appropriate domain accounts to it. L. Kun the Delegation of Control !i'ard to provide the )nfrastructure &dmins group with :ull Control of the $J. N. Kepeat steps , through L for the file server1 print server1 web server1 3AS server1 and Certificate Services server roles. Jse the information in Table *.* for the appropriate $J and group names.
26
clocks with an e9ternal source if they are synchroni'ed with the same internal source. Cy default1 member computers always synchroni'e their clocks with domain controllers.
3ote$ ,or accurate lo& anal"sis# "ou should also s"nchroni>e the clocks of network computers that run operatin& s"stems other than 3indows to the 3indows +erver 200) 87C emulator or to the same time source for that server.
To import t'e -omain %olicy security templates .. 3n Active Directory Jsers and Computers1 right%click the domain1 and then select %roperties. *. $n the Group %olicy tab1 click .ew to add a new H-$. ,. Type !C*-omain %olicy1 and then press ?8T?K. E. Kight%click !C*-omain %olicy1 and then select .o +verride. 5. Select !C*-omain %olicy1 and then click !dit. L. 3n the Hroup -olicy $b7ect ?ditor window1 click Computer Confi"uration\Windows Settin"s. Kight%click Security Settin"s1 and then select )mport %olicy. N. 3n the )mport %olicy 0rom dialog bo91 navigate to 4\Tools and Templates\Security Guide\Security Templates4 and then double%click !C*-omain inf. >. Close the Hroup -olicy that has been modified. 6. Close the -omain %roperties window. .+. 3f you do not want to wait for scheduled Hroup -olicy application1 you can initiate the process manually. $pen a command prompt1 type "pupdate 50orce and press ?8T?K. ... <erify in the event log that the Hroup -olicy downloaded successfully and that the server can communicate with the other domain controllers in the domain.
Warning$ 3hen "ou create the 2C-7omain 8olic"# ensure that the 3o 4verride option is enabled to enforce this polic" throu&hout the domain. This 5roup 8olic" is the onl" one in this &uide in which the 3o 4verride option must be enabled. 7o not enable this option in an" of the other 5roup 8olicies that are specified in this &uide. Also# do not modif" the 3indows +erver 200) default domain polic"Iin case "ou need to return to its default settin&s.
To ensure that this new Hroup -olicy has precedence over the default policy1 position it to have the highest priority among the H-$ links.
I portant$ Jou should import this 5roup 8olic" into an" additional domains in the or&ani>ation to ensure consistent application of password polic". *owever# it is not uncommon to find environments in which the root domain password polic" is much stricter than an" of the other domains. Jou should also ensure that an" other domains that will use this same polic" have the same business re=uirements. 9ecause the password polic" can onl" be set at the domain level# there ma" be business or le&al re=uirements that se&ment some users into a separate domain simpl" to enforce the use of a stricter password polic" on that &roup.
2:
To clear t'e &llow )n'eritable %ermissions option Cy default1 the new $J structure inherits many security settings from its parent container. :or each $J1 clear the check bo9 for &llow in'eritable permissions from parent to propa"ate to t'is ob,ect and all c'ild ob,ects. .. $pen Active Directory Jsers and Computers. *. Click 6iew and then &dvanced 0eatures to select the Advanced view. ,. Kight%click the appropriate $J1 and then click %roperties. E. Click the Security tab1 and then click &dvanced. 5. Clear the &llow in'eritable permissions from parent to propa"ate to t'is ob,ect and all c'ild ob,ects )nclude t'ese wit' entries specifically defined 'ere checkbo9. Kemove any unnecessary groups that were previously added by administrators1 and add the domain group that corresponds to each server role $J. Ketain the 0ull Control setting for the -omain &dministrators group.
2;
.+. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ... Keview the network settings and ensure that the appropriate ports and applications have been detected and will be configured as e9ceptions for the !indows :irewall. .*. Skip the GKegistry SettingsG section. .,. Skip the GAudit -olicyG section. .E. 3nclude the appropriate security template /for e9ample1 ?C%Member Server Caseline.inf0. .5. Save the policy with an appropriate name /for e9ample1 Member Server Caseline.9ml0. To create t'e -omain Controller policy Bou must use a computer that is configured as a domain controller to create the Domain Controller policy. Bou can use either an e9isting domain controller or create a reference computer and use the Dcpromo tool to make the computer a domain controller. However1 most organi'ations do not want to add a domain controller to their production environment because it may violate their security policy. 3f you use an e9isting domain controller1 make sure that you do not apply any setting to it with SC! or modify its configuration. .. 3nstall the Security Configuration !i'ard component on the computer through Control -anel1 Add#Kemove -rograms1 Add#Kemove !indows Components. *. 3nstall only the mandatory applications that should be on every server in your environment. ?9amples include your software and management agents1 tape backup agents1 and antivirus or antispyware utilities. ,. Launch the SC! HJ31 select Create new policy1 and point it to the reference computer. E. ?nsure that the detected roles are appropriate for your environment. 5. ?nsure that the detected client features are appropriate for your environment. L. ?nsure that the detected administrative options are appropriate for your environment. N. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. >. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network1 because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. 6. Keview the network settings and ensure that the appropriate ports and applications have been detected and will be configured as e9ceptions for the !indows :irewall. .+. Skip the GKegistry SettingsG section. ... Skip the GAudit -olicyG section. .*. 3nclude the appropriate security template /for e9ample1 ?C%Domain Controller.inf0. .,. Save the policy with an appropriate name /for e9ample1 Domain Controller.9ml0.
2-
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
)0
).
Again1 Microsoft strongly recommends that you deploy your role policies in a test environment before you use them in production. This approach will help minimi'e downtime and failures in your production environment. After you thoroughly test the new configuration1 you can convert the policies into H-$s as shown in the following procedure and apply them to the appropriate $J.
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J1 and make sure to move it above the Default Domain Controllers -olicy so that it receives the highest priority. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click !indows :irewall.
Su""ary
Security administrators need to understand the strengths and weaknesses of SC! compared to conventional Hroup -olicy%based hardening methods so that they can choose the right methodology for their environment. SC! and Hroup -olicy can be used together to gain the ability to rapidly and consistently prototype policies that SC! provides together with the scalable deployment and management capabilities of Hroup -olicy. Several design considerations are involved when forest1 domain1 and $J designs are reviewed to secure an environment. 3t is important to research and document any specific autonomy and isolation re=uirements for the organi'ation. -olitical autonomy1 operational isolation1 and legal or regulatory isolation are all valid reasons to consider comple9 forest designs. 3t is important that you understand how to control service administrators. Malicious service administrators can present a great risk to an organi'ation. At a lower level1 malicious domain administrators can access data in any domain in the forest. Although it may not be easy to change the forest or domain design in an organi'ation1 it may be necessary to remediate some security risks. 3t is also important to plan the $J deployment in the organi'ation to accommodate the needs of both service administrators and data administrators. This chapter provided detailed information about how to create an $J model that will support the use of H-$s for the ongoing management of different server roles in the organi'ation.
)2
)ore In&or"ation
The following links provide additional information about topics that relate to hardening servers that run !indows Server *++, with S-.. :or more information about security and privacy at Microsoft1 see the Trustworthy Computing" Security page at www.microsoft.com#mscorp#twc#default.msp9. :or sound security guidelines1 see STen 3mmutable Laws of SecurityT at www.microsoft.com#technet#archive#community#columns#security#essays#.+imlaws.m sp9. :or guidance about how to secure the Active Directory database1 see SCest -ractice Huide for Securing Active Directory 3nstallationsT at www.microsoft.com#downloads#details.asp9?:amily3D4EeN,E+L5%,f.>%E>>a%be.e% f+,,6+ec5f6.O. :or information about Active Directory design considerations1 see SDesign Considerations for Delegation of Administration in Active DirectoryT at www.microsoft.com#technet#prodtechnol#windows*+++serv#technologies#activedirecto ry#plan#addeladm.msp9. :or information about how to configure a time server1 see the Microsoft Fnowledge Case article GHow to configure an authoritative time server in !indows *+++G at http"##support.microsoft.com#?kbid4*.LN,E. :or information about network ports that are used by Microsoft applications1 see the Microsoft Fnowledge Case article GService overview and network port re=uirements for the !indows Server systemG at http"##support.microsoft.com#kb#>,*+.N.
This information provides a foundation and a vision for how to evolve from an LC environment to an SSL: environment within a domain infrastructure. !indows Server *++, with S-. ships with default values that are set to a known1 highly secure state. To improve the usability of this material1 this chapter only discusses those settings that have been modified from the default values. :or information about all default settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
*o"ain +o#icy
Bou can apply Hroup -olicy security settings at several different levels in an organi'ation. The baseline environment that is discussed in Chapter *1 G!indows Server *++, Hardening MechanismsG used Hroup -olicy to apply settings at the following three hierarchy levels in the domain infrastructure" -omain 2evel. Settings at this level address common security re=uirements1 such as account and password policies that must be enforced for all servers in the domain. #aseline 2evel. Settings at this level address specific server security re=uirements that are common to all servers in the domain infrastructure. /ole*Specific 2evel. Settings at this level address security re=uirements for specific server roles. :or e9ample1 the security re=uirements for infrastructure servers differ from those for servers that run Microsoft 3nternet 3nformation Services /33S0.
The following sections of this chapter will only discuss the Domain Level policy in detail. Most of the domain security settings that are addressed are for user accounts and passwords. !hen you review these settings and recommendations1 remember that all settings apply to every user in the domain boundary.
)(
This guide recommends that you create a new Hroup -olicy at the domain root to apply the domain%wide policies that are discussed in this chapter. This approach will make it easier for you to test or troubleshoot the new Hroup -olicy1 because if you need to roll back changes you can simply disable it. However1 some applications that are designed to work with Active Directory make changes to the built%in Default Domain -olicy. These applications are not going to be aware of the new Hroup -olicy you implemented if you follow the recommendations in this guide. Cefore you deploy new enterprise applications1 be sure to test them thoroughly. 3f you encounter problems1 check to see whether the application has modified account policies1 created new user accounts1 modified user rights1 or made other changes to the Default Domain -olicy or local computer policies.
3ccount +o#icies
Account policies1 which include password policy1 account lockout policy1 and Ferberos policy security settings1 are only relevant in the domain policy for all three environments that are defined in this guide. -assword policy provides a way to set comple9ity and change schedules for high security environments. Account lockout policy allows tracking of unsuccessful password logon attempts to initiate account lockouts if necessary. Ferberos policies are used for domain user accounts1 and determine settings that relate to the Ferberos authentication protocol1 such as ticket lifetimes and enforcement.
+assword +o#icy
Comple9 passwords that are changed on a regular basis reduce the likelihood of a successful password attack. -assword policy settings control the comple9ity and lifetime for passwords. This section discusses each specific password policy setting and how
)'
they relate to each of the three environments that are defined in this guide" Legacy Client1 ?nterprise Client1 and Speciali'ed Security @ Limited :unctionality. Strict re=uirements for password length and comple9ity do not necessarily mean that users and administrators will use strong passwords. Although password policy may re=uire users to comply with technical comple9ity re=uirements1 additional strong security policy is needed to ensure that users create passwords that are hard to compromise. :or e9ample1 CreakfastU might meet all password comple9ity re=uirements1 but it is not a very difficult password to crack. 3f you know certain facts about the person who creates a password1 you might be able to guess their password if it is based on their favorite food1 car1 or movie. $ne strategy of organi'ational security programs that seek to educate users about strong passwords is to create a poster that describes poor passwords and display it in common areas1 such as near a water fountain or copy machine. Bour organi'ation should set strong password creation guidelines that include the following" Avoid the use of words from a dictionary in any language1 including common or clever misspellings of words. Do not create a new password that simply increments a digit in your current password. Avoid the use of passwords that begin or end with a numeral because they can be guessed easier than passwords that have a numeral in the middle. Avoid the use of passwords that others can easily guess by looking at your desk /such as names of pets1 sports teams1 and family members0. Avoid the use of words from popular culture. ?nforce the use of passwords that re=uire you to type with both hands on the keyboard. ?nforce the use of uppercase and lowercase letters1 numbers1 and symbols in all passwords. ?nforce the use of space characters and characters that can be produced only by pressing the ALT key.
Bou should also use these guidelines for all service account passwords in your organi'ation.
)6
Table 3 1 %assword %olicy Settin" /ecommendations Settin" ?nforce password history Ma9imum password age Minimum password age Minimum password length -assword must meet comple9ity re=uirements Store password using reversible encryption 2e"acy Client *E passwords remembered E* days . day > characters ?nabled !nterprise Client *E passwords remembered E* days . day > characters ?nabled Speciali1ed Security 7 2imited 0unctionality *E passwords remembered E* days . day .* characters ?nabled
Disabled
Disabled
Disabled
):
to change their password so often that they cannot remember what it is. To balance the needs of security and usability1 you can increase the value for this policy setting in the Legacy Client and ?nterprise Client environments.
);
all possible passwords. Kemember1 these times will significantly increase for passwords that use ALT characters and other special keyboard characters1 such as U or &. -asswords are stored in the Security Accounts Manager /SAM0 database or Active Directory after they are passed through a one%way /non%reversible0 hash algorithm. Therefore1 the only known way to tell if you have the right password is to run it through the same one%way hash algorithm and compare the results. Dictionary attacks run entire dictionaries through the encryption process1 looking for matches. They are a simplistic yet very effective approach to determine who uses common words like GpasswordG or GguestG as their account passwords. $lder versions of !indows used a specific type of hashing algorithm known as the LA8 Manager Hash /LMHash0. This algorithm breaks up the password into blocks of seven or fewer characters and then calculates a separate hash value for each block. Although !indows *+++ Server1 !indows 2-1 and !indows Server *++, all use a newer hashing algorithm1 they may still calculate and store the LMHash for backward compatibility. !hen the LMHash values are present1 they present a shortcut for password crackers. 3f a password is seven characters or less1 the second half of the LMHash resolves to a specific value that can inform a cracker that the password is shorter than eight characters. -asswords of at least eight characters strengthen even the weaker LMHash1 because the longer passwords re=uire crackers to decrypt two portions of each password instead of only one. 3t is possible to attack both halves of an LMHash in parallel1 and the second half of the LMHash is only . character longV it will succumb to a brute%force attack in milliseconds. Therefore it is not really beneficial unless it is part of the ALT character set. :or these reasons1 the use of shorter passwords in place of longer ones is not recommended. However1 minimum length re=uirements that are too long may cause more mistyped passwords1 which can cause an increase in locked out accounts and help desk calls. Also1 e9tremely long password re=uirements can actually decrease the security of an organi'ation because users may be more likely to write their passwords down so that they do not forget them.
)-
:or these reasons1 Microsoft recommends that the %assword must meet comple3ity re8uirements setting be configured to !nabled for all three environments that are defined in this guide.
(0
(.
Speciali'ed Security % Limited :unctionality environments. This configuration decreases the amount of operation overhead during a denial of service /DoS0 attack. 3n a DoS attack1 an attacker maliciously performs a number of failed logon attempts on all users in the organi'ation1 which locks out their accounts. The recommended settings give locked out users the chance to log on again in a reasonable amount of time without the need for assistance from the help desk. However1 information about this setting value needs to be communicated to users.
3f these criteria are not met1 the second option is to configure the &ccount loc=out t'res'old setting to a high enough value that will provide users with the ability to accidentally mistype their password several times and not lock themselves out of their accounts. However1 the value should help ensure that a brute force password attack will still lock out the account.
This guide recommends that you configure the &ccount loc=out t'res'old setting value to <0 for the Legacy Client and ?nterprise Client environments1 which should provide ade=uate security and acceptable usability. This value will prevent accidental account lockouts and reduce help desk calls1 but will not prevent a DoS attack as described earlier. However1 this guide recommends that you configure this policy setting value to 10 for Speciali'ed Security % Limited :unctionality environments.
(2
4erberos +o#icies
Ferberos policies are used for domain user accounts. These policies determine settings that relate to the Ferberos version 5 authentication protocol1 such as ticket lifetimes and enforcement. Ferberos policies do not e9ist in the local computer policy. 3f you reduce the lifetime of Ferberos tickets1 the risk of an attacker who attempts to steal passwords to impersonate legitimate user accounts is decreased. However1 the need to maintain these policies increases the authori'ation overhead. 3n most environments1 the default values for these policies should not be changed. Cecause the Ferberos settings are included in the default domain policy and enforced there1 this guide does not include them in the security templates that accompany this guide. This guide recommends that no changes be made to the default Ferberos policies. :or more information about these policy settings1 refer to the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
Security Options
The three different types of account policies that are discussed earlier in this chapter are defined at the domain level and are enforced by all of the domain controllers in the domain. A domain controller always obtains the account policy from the Default Domain -olicy H-$1 even if there is a different account policy applied to the $J that contains the domain controller. There are three security options settings that are similar to account policies. Bou should apply these settings at the level of the entire domain and not within individual $Js. Bou can configure these settings in the Hroup -olicy $b7ect ?ditor at the following location" Computer Confi"uration\Windows Settin"s\Security Settin"s\ 2ocal %olicies\Security +ptions
()
Disabled
Disabled
Disabled
?nabled
?nabled
?nabled
((
may not be able to communicate with domains that are based on !indows Server *++, with S-.. ?9amples of such computers include" !indows 8T( E.+@based Kemote Access Service servers. Microsoft SXL Servers) that run on !indows 8T ,.9@based or !indows 8T E.+@ based computers. Kemote Access Service servers that run on !indows *+++@based computers that are located in !indows 8T ,.9 domains or !indows 8T E.+ domains.
This guide recommends that you configure the .etwor= &ccess> &llow anonymous S)-5.&M! translation setting to -isabled for the three environments that are defined in the guide.
Su""ary
This chapter discussed the need to review all domain%wide settings in the organi'ation. $nly one set of password1 account lockout1 and Ferberos version 5 authentication protocol policies can be configured for each domain. $ther password and account lockout settings will only affect the local accounts on member servers. -lan to configure settings that will apply to all member servers of the domain1 and ensure that these settings provide an ade=uate level of security across your organi'ation.
('
)ore In&or"ation
The following links provide additional information about topics that relate to domain policy for servers that run !indows Server *++, with S-.. :or information about the ability of anonymous users to re=uest security identifier attributes for other users1 see the 8etwork access" Allow anonymous S3D#name translation page at http"##technet*.microsoft.com#!indowsServer#en#Library#*66>+,be%+e>5%EcL+%b+b5% .bLEE>L556b,.+,,.msp9. :or information about network security and how to force logoff when logon hours e9pire1 see SThe Mole Y,*" Technical Answers from 3nside Microsoft % Moving Jsers1 Sharing -rinters1 Two -DCs1 Logoff1 CackTalkT at www.microsoft.com#technet#archive#community#columns#inside#techan,*.msp9. Also1 see the Microsoft Fnowledge Case article SHuest Account Cannot be Jsed !hen Anonymous Access 3s DisabledT at http"##support.microsoft.com#? kbid4*5..N..
(:
controllers and member servers in this environment run !indows *+++ Server or !indows Server *++,. Speciali1ed Security 7 2imited 0unctionality @SS20A. This environment provides much stronger security than the ?C environment. Migration from the ?C environment to the Speciali'ed Security @ Limited :unctionality /SSL:0 environment re=uires compliance with stringent security policies for both client computers and servers. This environment includes client computers that run !indows *+++ -rofessional and !indows 2- -rofessional1 and domain controllers that run !indows *+++ Server or !indows Server *++,. 3n the SSL: environment1 security concerns are so great that significant loss of client functionality and manageability is considered an acceptable tradeoff if the highest levels of security can be achieved. Member servers in this environment run !indows *+++ Server or !indows Server *++,.
Bou will notice that in many cases the SSL: environment will e9plicitly set the default value. Bou should assume that this configuration will affect compatibility1 because it may cause applications that attempt to ad7ust some settings locally to fail. :or e9ample1 some applications need to ad7ust user rights assignments to grant their service account additional privileges. Cecause Hroup -olicies take precedence over local machine policy1 these operations will fail. Bou should thoroughly test all applications before you deploy any of the recommended settings to your production computersIespecially SSL: settings. The following figure shows the three security environments and the clients that are supported in each.
0i"ure B 1 !3istin" and planned security environments $rgani'ations that want to secure their environments by means of a phased approach may choose to start at the Legacy Client environment level and then gradually migrate to more secure environments as they upgrade and test their applications and client computers with tightened security settings. The following figure shows how the .inf file security templates are used as a foundation for the ?nterprise Client @ Member Server Caseline -olicy /MSC-0. The figure also shows one possible way to link this policy and apply it to all servers in an organi'ation. !indows Server *++, with S-. ships with default setting values that are configured to create a secure environment. 3n many instances1 this chapter prescribes settings that are different than the default values. The chapter also enforces specific defaults for all three
(;
environments. :or information about all default settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2- at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
0i"ure B 2 T'e !C*Member Server #aseline inf security template is imported into t'e MS#%C w'ic' is t'en lin=ed to t'e Member Servers or"ani1ational unit @+(A -rocedures to harden specific server roles are defined in the remaining chapters of this guide. The primary server roles that are discussed in this guide include" Domain controllers that include D8S services 3nfrastructure servers that include !38S and DHC- services :ile servers -rint servers !eb servers that run 3nternet 3nformation Services /33S0 Microsoft 3nternet Authentication Server /3AS0 servers Certificate Services /CA0 servers Castion hosts
Many of the following settings that appear in the ?nterprise Client MSC- also apply to these server roles in the three environments that are defined in this guide. The security templates are uni=uely designed to address the security needs of each particular environment. The following table shows the names of the baseline security templates for the three environments.
(-
Table B 1 #aseline Security Templates for &ll T'ree !nvironments 2e"acy Client LC%Member Server Caseline.inf !nterprise Client ?C%Member Server Caseline.inf Speciali1ed Security 7 2imited 0unctionality SSL:%Member Server Caseline.inf
The security settings that are common to all three environments and therefore all Member Server #aseline security templates are described throughout the rest of this chapter. The baseline security templates are also the basis for the domain controller security templates that are defined in Chapter 51 GThe Domain Controller Caseline -olicy.G The -omain Controllers /ole security templates include baseline settings for the Domain Controllers Hroup -olicy H-$1 which is linked to the Domain Controllers $J in all three environments. Step%by%step instructions for how to create the $Js and Hroup -olicies and then import the appropriate security template into each H-$ are provided in Chapter *1 G!indows Server *++, Hardening Mechanisms.G
3ote$ +ome procedures that are used to harden servers cannot be automated b" means of 5roup 8olic". These procedures are described in the KAdditional +ecurit" +ettin&sL section of this chapter.
3udit +o#icy
Administrators should create an Audit policy that defines which security events get reported1 and that records user or computer activity in specified event categories. Administrators can monitor security%related activity1 such as who accesses an ob7ect1 if a user logs on to or off from a computer1 or if changes are made to an Audit policy setting. Cefore you implement an Audit policy1 you must decide which event categories to audit for the environment. The audit settings that an administrator chooses for the event categories define the organi'ation s Audit policy. !hen audit settings for specific event categories are defined1 administrators can create an Audit policy that suits the security needs of the organi'ation. 3f no Audit policy e9ists1 it will be difficult or impossible to determine what took place during a security incident. However1 if audit settings are configured so that many authori'ed activities generate events1 the Security log will fill up with useless data. The following recommendations and setting descriptions are provided to help you determine what to monitor so that the collected data is relevant. $ftentimes1 failure logs are much more informative than success logs because failures typically indicate errors. :or e9ample1 successful logon to a computer by a user would
'0
typically be considered normal. However1 if someone unsuccessfully tries to log on to a computer multiple times1 it may indicate an attempt to break into the computer with someone else s account credentials. The event logs record events on the computer. 3n Microsoft !indows operating systems1 there are separate event logs for applications1 security events1 and system events. The Security log records audit events. The event log container of Hroup -olicy is used to define attributes that are related to the Application1 Security1 and System event logs1 such as ma9imum log si'e1 access rights for each log1 and retention settings and methods. Cefore an Audit policy implementation1 organi'ations should determine how they will collect1 organi'e1 and analy'e the data. Large volumes of audit data have little value if there is no plan to e9ploit it. Also1 performance may be affected when computer networks are audited. The impact for a given combination of settings may be negligible on an end% user computer but =uite noticeable on a busy server. Therefore1 you should test whether performance will be affected before you deploy new audit settings in your production environment. The following table includes the Audit policy setting recommendations for all three environments that are defined in this guide. Bou may notice that the settings for most values are similar for all three environments. Additional information about each setting is provided in the subsections that follow the table. Bou can configure the Audit policy setting values in !indows Server *++, with S-. at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\ 2ocal %olicies\&udit %olicy :or a summary of the prescribed settings in this section1 see the Microsoft ?9cel( workbook G!indows Server *++, Security Huide Settings1G which is included with the downloadable version of this guide. :or more information about the default settings and a detailed e9planation of each of the settings that are discussed in this section1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#? Link3d4.5.56. Table B 2 &udit %olicy Settin"s Settin" Audit account logon events Audit account management Audit logon events Audit ob7ect access Audit policy change Audit privilege use Audit process tracking Audit system events 2e"acy Client Success Success Success 8o Auditing Success 8o Auditing 8o Auditing Success !nterprise Client Success Success Success 8o Auditing Success 8o Auditing 8o Auditing Success Speciali1ed Security 7 2imited 0unctionality Success :ailure Success :ailure Success :ailure :ailure Success :ailure 8o Auditing Success
'.
LN,
LNN
'2
$rgani'ations need to be able to determine who creates1 modifies1 or deletes both domain and local accounts. Jnauthori'ed changes could indicate mistaken changes made by an administrator who does not understand how to follow organi'ational policies1 but could also indicate a deliberate attack. :or e9ample1 account management failure events often indicate attempts by a lower%level administratorIor an attacker who has compromised a lower%level administrator s account Ito elevate their privileges. The logs can help you determine which accounts an attacker has modified and created. The &udit account mana"ement setting is configured to log Success values for the LC and ?C baseline policies1 and to log both Success and 0ailure values for the SSL: baseline policy. The following table includes the important security events that this policy setting records in the Security log. These event 3Ds can be useful when you want to create custom alerts to monitor any software suite1 such as M$M. Most operational management software can be customi'ed with scripts to capture or flag events that are based on these event 3Ds. Table B B &ccount Mana"ement !vents !vent )- !vent description L*E L*N L*> L,+ L,. L,* L,, L,E L,5 L,L L,N L,> L,6 LE. LE* LE, LEE A user account was created. A user password was changed. A user password was set. A user account was deleted. A global group was created. A member was added to a global group. A member was removed from a global group. A global group was deleted. A new local group was created. A member was added to a local group. A member was removed from a local group. A local group was deleted. A local group account was changed. A global group account was changed. A user account was changed. A domain policy was modified. A user account was automatically locked.
')
!vent )- !vent description LE5 LEL LEN LE> A computer account was created. A computer account was changed. A computer account was deleted. A local security group with security disabled was created.
3ote$ +2C/46TJM76+A9!27 in the formal name means that this &roup cannot be used to &rant permissions in access checks.
LE6 L5+ L5. L5* L5, L5E L55 L5L L5N L5> L56 LL+ LL. LL* LL, LLE LL5 LLL LLN LL> L>E
A local security group with security disabled was changed. A member was added to a security%disabled local security group. A member was removed from a security%disabled local security group. A security%disabled local group was deleted. A security%disabled global group was created. A security%disabled global group was changed. A member was added to a security%disabled global group. A member was removed from a security%disabled global group. A security%disabled global group was deleted. A security%enabled universal group was created. A security%enabled universal group was changed. A member was added to a security%enabled universal group. A member was removed from a security%enabled universal group. A security%enabled universal group was deleted. A security%disabled universal group was created. A security%disabled universal group was changed. A member was added to a security%disabled universal group. A member was removed from a security%disabled universal group. A security%disabled universal group was deleted. A group type was changed. The security descriptor of administrative group members was set.
3ote$ 2ver" 60 minutes on a domain controller# a back&round thread searches all members of administrative &roups @such as domain# enterprise# and schema administratorsA and applies a fi0ed securit" descriptor on them. This event is lo&&ed.
L>5
'(
3f you configure the &udit lo"on events setting to .o auditin"1 it is difficult or impossible to determine which users have either logged on or attempted to log on to computers in the organi'ation. 3f you enable the Success value for the &udit lo"on events setting on a domain member1 an event will be generated each time that someone logs on to the network1 regardless of where the accounts reside on the network. 3f the user logs on to a local account and the &udit account lo"on events setting is !nabled1 the user logon will generate two events. ?ven if you do not modify the default values for this policy setting1 no audit record evidence will be available for analysis after a security incident takes place. The &udit lo"on events setting is configured to log Success values in the LC and ?C baseline policies and to log both Success and 0ailure values for the SSL: policy. The following table includes the important security events that this policy setting records in the Security log. Table B < &udit 2o"on !vents !vent )- !vent description 5*> 5*6 5,+ 5,. 5,* 5,, 5,E 5,5 5,L 5,N 5,> 5,6 5E+ 5E. A user successfully logged on to a computer. Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. Logon failure. A logon attempt was made outside the allowed time. Logon failure. A logon attempt was made using a disabled account. Logon failure. A logon attempt was made using an e9pired account. Logon failure. A logon attempt was made by a user who is not allowed to log on at the specified computer. Logon failure. The user attempted to log on with a password type that is not allowed. Logon failure. The password for the specified account has e9pired. Logon failure. The 8et Logon service is not active. Logon failure. The logon attempt failed for other reasons.
3ote$ 6n some cases# the reason for the lo&on failure ma" not be known.
The logoff process was completed for a user. Logon failure. The account was locked out at the time the logon attempt was made. A user successfully logged on to a network. Main mode 3nternet Fey ?9change /3F?0 authentication was completed between the local computer and the listed peer identity /establishing a security association01 or =uick mode has established a data channel. A data channel was terminated. Main mode was terminated.
3ote$ This mi&ht occur because the time limit on the securit" association e0pired @the default is ei&ht hoursA# because of polic" chan&es# or peer termination.
5E* 5E,
5EE
Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
''
!vent )- !vent description 5E5 5EL Main mode authentication failed because of a Ferberos authentication protocol failure or a password that is not valid. 3F? security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. A failure occurred during an 3F? handshake. Logon failure. The security identifier /S3D0 from a trusted domain does not match the account domain S3D of the client. Logon failure. All S3Ds corresponding to untrusted namespaces were filtered out during an authentication across forests. 8otification message that could indicate a possible denial%of%service /DoS0 attack. A user initiated the logoff process. A user successfully logged on to a computer with e9plicit credentials while already logged on as a different user. A user has reconnected to a disconnected terminal server session. A user disconnected a terminal server session but did not log off.
3ote$ This event is &enerated when a user is connected to a terminal server session over the network. 6t appears on the terminal server.
3f you configure the &udit ob,ect access setting to log Success values1 an audit entry will be generated each time that a user successfully accesses an ob7ect with a specified SACL. 3f you configure this policy setting to log 0ailure values1 an audit entry will be generated each time that a user unsuccessfully attempts to access an ob7ect with a specified SACL. $rgani'ations should define only the actions they want enabled when SACLs are configured. :or e9ample1 you might want to enable the Write and &ppend -ata audit setting on e9ecutable files to track when they are changed or replaced1 because computer viruses1 worms1 and Tro7an horses typically target e9ecutable files. Similarly1 you might want to track when sensitive documents are accessed or changed.
'6
The &udit ob,ect access setting is configured to the default value of .o auditin" in the baseline policy for the LC and ?C environments. However1 this policy setting is configured to log 0ailure values in the baseline policy for the SSL: environment. The following table includes the important security events that this policy setting records in the Security log. Table B D +b,ect &ccess !vents !vent )- !vent description 5L+ 5L* 5L, Access was granted to an already e9isting ob7ect. A handle to an ob7ect was closed. An attempt was made to open an ob7ect with the intent to delete it.
3ote$ This event is used b" file s"stems when the ,6!2M72!2T2M1 MC!1+2 fla& is specified in Createfile@A.
A protected ob7ect was deleted. Access was granted to an ob7ect type that already e9ists. A permission associated with a handle was used.
3ote$ A handle is created with certain &ranted permissions @such as 4ead and 3riteA. 3hen the handle is used# up to one audit is &enerated for each of the permissions that were used.
5L> 5L6 5N+ 5N. 5N* NN* NN, NNE NN5 NNL NNN NN> NN6 N>+ N>. N>* N>, N>E
An attempt was made to create a hard link to a file that is being audited. The resource manager in Authori'ation Manager attempted to create a client conte9t. A client attempted to access an ob7ect.
3ote$ An event will be &enerated for ever" attempted operation on the ob?ect.
The client conte9t was deleted by the Authori'ation Manager application. The Administrator Manager initiali'ed the application. The Certificate Manager denied a pending certificate re=uest. Certificate Services received a resubmitted certificate re=uest. Certificate Services revoked a certificate. Certificate Services received a re=uest to publish the certificate revocation list /CKL0. Certificate Services published the CKL. A certificate re=uest e9tension was made. $ne or more certificate re=uest attributes changed. Certificate Services received a re=uest to shut down. Certificate Services backup started. Certificate Services backup completed. Certificate Services restore started. Certificate Services restore completed. Certificate Services started.
':
!vent )- !vent description N>5 N>L N>N N>> N>6 N6+ N6. N6* N6, N6E N65 N6L N6N N6> N66 >++ >+. Certificate Services stopped. The security permissions for Certificate Services changed. Certificate Services retrieved an archived key. Certificate Services imported a certificate into its database. The audit filter for Certificate Services changed. Certificate Services received a certificate re=uest. Certificate Services approved a certificate re=uest and issued a certificate. Certificate Services denied a certificate re=uest. Certificate Services set the status of a certificate re=uest to pending. The certificate manager settings for Certificate Services changed. A configuration entry changed in Certificate Services. A property of Certificate Services changed. Certificate Services archived a key. Certificate Services imported and archived a key. Certificate Services published the certification authority /CA0 certificate to Active Directory. $ne or more rows have been deleted from the certificate database. Kole separation enabled.
';
Table B E &udit %olicy C'an"e !vents !vent )- !vent description L+> L+6 L.+ L.. L.* L., L.E L.5 L.L L.N L.> L*+ L*. L** L*, L*5 NL> A user right was assigned. A user right was removed. A trust relationship with another domain was created. A trust relationship with another domain was removed. An audit policy was changed. An 3nternet -rotocol security /3-sec0 policy agent started. An 3-sec policy agent was disabled. An 3-sec policy agent changed. An 3-sec policy agent encountered a potentially serious failure. A Ferberos version 5 policy changed. ?ncrypted Data Kecovery policy changed. A trust relationship with another domain was modified. System access was granted to an account. System access was removed from an account. Audit policy was set on a per%user basis Audit policy was refreshed on a per%user basis. A collision was detected between a namespace element in one forest and a namespace element in another forest.
3ote$ 3hen a namespace element in one forest overlaps a namespace element in another forest# name resolution ambi&uit" for namespace elements can result. This overlap is also called a collision. ot all parameters are valid for each entr" t"pe. ,or e0ample# fields such as 7 + name# et961+ name# and +67 are not valid for an entr" of t"pe GTop!evel ame.G
NL6
The event log service read the Security log configuration for a session.
'-
3ote$ 6f "ou wish to audit these user ri&hts# "ou must enable the 0udit: 0udit the use o* 'ac5up and +estore privi$ege securit" option in 5roup 8olic".
The &udit privile"e use setting is left at the default value of .o auditin" in the baseline policy for the LC and ?C environments. However1 this policy setting is configured to log 0ailure values in the baseline policy for the SSL: environment. :ailed use of a user right is an indicator of a general network problem1 and can often indicate an attempted security breach. $rgani'ations should configure the &udit privile"e use setting to !nable only if there is a specific business reason to do so. The following table includes the important security events that this setting records in the Security log. Table B F %rivile"e (se !vents !vent )- !vent description 5NL 5NN 5N> Specified privileges were added to a user s access token.
3ote$ This event is &enerated when the user lo&s on.
A user attempted to perform a privileged system service operation. -rivileges were used on an already open handle to a protected ob7ect.
60
environments that are defined in this guide. However1 this policy setting can be very helpful during an incident response because it provides a detailed log of the processes that are started and the time when each one was launched. The following table includes the important security events that this setting records in the Security log. Table B : %rocess Trac=in" !vents !vent )- !vent description 56* 56, 56E 565 56L A new process was created. A process e9ited. A handle to an ob7ect was duplicated. 3ndirect access to an ob7ect was obtained. A data protection master key was backed up.
3ote$ The master ke" is used b" the Cr"pt8rotect7ata and Cr"pt/nprotect7ata routines# and 2ncr"ptin& ,ile +"stem @2,+A. The master ke" is backed up each time a new one is created. @The default settin& is -0 da"s.A The ke" is usuall" backed up b" a domain controller.
A data protection master key was recovered from a recovery server. Auditable data was protected. Auditable data was unprotected. A process was assigned a primary token. A user attempted to install a service. A scheduler 7ob was created.
6.
!vent )- !vent description 5.N 5.> 5.6 The audit log was cleared. A notification package was loaded by the Security Accounts Manager. A process is using an invalid local procedure call /L-C0 port in an attempt to impersonate a client and reply or read from or write to a client address space. The system time was changed.
3ote$ This audit t"picall" appears twice.
5*+
Bou can configure the user rights assignment settings in !indows Server *++, with S-. at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\ 2ocal %olicies\(ser /i"'ts &ssi"nment The default user rights assignments are different for the various types of servers in your organi'ation. :or e9ample1 !indows Server *++, assigns different rights to built%in groups on member servers and domain controllers. /Similarities between built%in groups on different server types are not documented in the following list. Member Servers %ower (sers. -ossess most administrative powers with some restrictions. -ower Jsers can run legacy applications in addition to applications that are certified for !indows Server *++, with S-. or !indows 2-. ?elpServicesGroup. The group for the Help and Support Center. SupportP,>>6E5a+ is a member of this group by default. TelnetClients. Members of this group have access to the Telnet server on the network. Server +perators. Members of this group can administer domain servers. Terminal Server 2icense Services. Members of this group have access to Terminal Server License Servers on the network. Windows &ut'ori1ation &ccess Group. Members of this group have access to the computed tokenHroupsHlobalAndJniversal attribute on user ob7ects.
-omain Controllers
The Guests group and the user accounts Huest and SupportP,>>6E5a+ have uni=ue S3Ds between different domains. Therefore1 this Hroup -olicy for user rights assignments may need to be modified on a computer on which only the specific target group e9ists. Alternatively1 the policy templates can be edited individually to include the appropriate
62
groups within the .inf files. :or e9ample1 a domain controller Hroup -olicy could be created on a domain controller in a test environment.
3ote$ 9ecause of the uni=ue +67s that e0ist between members of the Guests &roup# +upportM);;-('a0# and 5uest# some settin&s that are used to harden servers cannot be automated b" means of the securit" templates that are included with this &uide. These settin&s are described in the HAdditional +ecurit" +ettin&sH section later in this chapter.
This section provides details about the prescribed MSC- user rights assignment settings for all three environments that are defined in this guide. :or a summary of the prescribed settings in this section1 see the Microsoft ?9cel workbook G!indows Server *++, Security Huide Settings1G which is included with the downloadable version of this guide. :or information about the default settings and a detailed e9planation of each of the settings that are discussed in this section1 see the companion guide1 Threats and Countermeasures Security Settin!s in Windows Server 2003 and Windows XP. The following table includes the user rights assignments setting recommendations for all three environments that are defined in this guide. Additional information about each setting is provided in the subsections that follow the table. Table B 11 (ser /i"'ts &ssi"nments Settin" /ecommendations Settin" 2e"acy Client !nterprise Client Speciali1ed Security 7 2imited 0unctionality Administrators1 Authenticated Jsers1 ?8T?K-K3S? D$MA38 C$8TK$LL?KS 8o one Administrators1 8?T!$KF S?K<3C?1 L$CAL S?K<3C? Administrators
8ot defined
Act as part of the operating system Ad7ust memory =uotas for a process Allow log on locally
Administrators1 Cackup $perators1 -ower Jsers Administrators and Kemote Desktop Jsers 8ot defined 8ot defined 8ot defined 8ot defined
Administrators1 Cackup $perators1 -ower Jsers Administrators and Kemote Desktop Jsers 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
Allow log on through Terminal Services Cack up files and directories Cypass traverse checking Change the system time Create a pagefile
Administrators
Administrators Authenticated Jsers Administrators1 L$CAL S?K<3C? Administrators 8o one Administrators1 S?K<3C?
Create a token ob7ect 8ot defined Create global ob7ects 8ot defined
6)
Settin"
2e"acy Client
!nterprise Client
Speciali1ed Security 7 2imited 0unctionality 8o one 8o one A8$8$BM$JS L$H$8V HuestsV SupportP,>>6E5a+V all 8$8%$perating System service accounts HuestsV SupportP,>>6E5a+V 8o one HuestsV SupportP,>>6E5a+V Huests Administrators
Create permanent shared ob7ects Debug programs Deny access to this computer from the network
8ot defined 8ot defined A8$8$BM$JS L$H$8V HuestsV SupportP,>>6E5a +V all 8$8% $perating System service accounts HuestsV SupportP,>>6E5a + 8ot defined 8ot defined Huests
8ot defined Administrators A8$8$BM$JS L$H$8V HuestsV SupportP,>>6E5a +V all 8$8% $perating System service accounts HuestsV SupportP,>>6E5a + 8ot defined 8ot defined Huests 8ot defined
Deny logon as a batch 7ob Deny logon as a service Deny logon locally Deny logon through Terminal Services
?nable computer and 8ot defined user accounts to be trusted for delegation :orce shutdown from 8ot defined a remote system Henerate security audits 3mpersonate a client after authentication 3ncrease scheduling priority Load and unload device drivers Lock pages in memory Log on as a service Manage auditing and security log Modify firmware environment values -erform volume maintenance tasks 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
Administrators 8?T!$KF S?K<3C?1 L$CAL S?K<3C? Administrators1 S?K<3C? Administrators Administrators 8o one 8ot defined 8?T!$KF S?K<3C? Administrators Administrators Administrators
Log on as a batch 7ob 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
6(
Settin"
2e"acy Client
!nterprise Client
Speciali1ed Security 7 2imited 0unctionality Administrators Administrators Administrators L$CAL S?K<3C?1 8?T!$KF S?K<3C? Administrators Administrators 8o one Administrators
-rofile single process 8ot defined -rofile system performance Kemove computer from docking station Keplace a process level token Kestore files and directories Shut down the system 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined 8ot defined
Synchroni'e 8ot defined directory service data Take ownership of files or other ob7ects 8ot defined
6'
66
Create a pa(e&i#e
This policy setting determines whether users can create and change the si'e of pagefiles. To perform this task1 the user specifies a page file si'e for a particular drive in the %erformance +ptions bo9 that is located on the &dvanced tab of the System %roperties dialog bo9. The Create a pa"efile setting is configured to .ot defined for the LC and ?C environments1 This user right is assigned to only the &dministrators group for the SSL: environment.
6:
configured to a null value or blank1 which means no security group or account will have this user right.
*ebu( pro(ra"s
This policy setting determines which users can attach a debugger to any process or to the kernel. 3t provides complete access to sensitive and critical operating system components. -rograms should not be debugged in production environments e9cept in e9treme circumstances1 such as when there is a need to troubleshoot a business%critical application that cannot be effectively assessed in the test environment. The -ebu" pro"rams setting is configured to .ot defined for the LC environment. :or the ?C environment1 this user right is assigned only to the &dministrators group. However1 for the SSL: environment this policy setting is configured to a null value or blank1 which means no security group or account will have this user right.
3ote$ 1n 3indows +erver 200) with +8.# removal of the "e&ug progra s user ri&ht ma" result in an inabilit" to use the 3indows /pdate service. *owever# patches can still be manuall" downloaded and installed or applied throu&h other means. 4emoval of this user ri&ht ma" also interfere with the Cluster +ervice. ,or more information# see the Microsoft <nowled&e 9ase article H*ow to appl" more restrictive securit" settin&s on a 3indows +erver 200)-based cluster serverH at http$%%support.microsoft.com%OkbidP;-.'-:.
This policy setting determines which users will not be able to access a computer over the network. 3t denies a number of network protocols1 including SMC%based protocols1 8etC3$S1 C3:S1 HTT-1 and C$MW. This policy setting supersedes the &ccess t'is computer from t'e networ= user right when a user account is sub7ect to both settings. :or all three environments that are defined in this guide1 the -eny access to t'is computer from t'e networ= user right is assigned to the Guests group1 A8$8$BM$JS L$H$81 SupportP,>>6E5a+1 and all service accounts that are not part of the operating system. Configuration of this policy setting for other groups could limit the abilities of users who are assigned to specific administrative roles in your environment. Bou should verify that delegated tasks will not be negatively affected.
This policy setting determines which accounts will not be able to log on to the computer as a batch 7ob. A batch 7ob is not a batch /.bat0 file1 but rather a batch%=ueue facility. Accounts that use the Task Scheduler to schedule 7obs need this user right. The -eny lo" on as a batc' ,ob user right overrides the 2o" on as a batc' ,ob user right1 which could be used to allow accounts to schedule 7obs that consume e9cessive
6;
system resources. Such an occurrence could cause a DoS condition. :or this reason1 the -eny lo" on as a batc' ,ob user right is assigned to the Guests group and the SupportP,>>6E5a+ user account in the baseline policy for all three environments that are defined in this guide. :ailure to assign this user right to the recommended accounts can be a security risk.
This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is 7oined to a domain environment1 there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end%user processing. :or all three environments that are defined in this guide1 the Guests group is assigned the -eny lo" on t'rou"' Terminal Services user right so that they cannot log on through Terminal Services.
6-
:0
malicious code that mas=uerades as a device driver /unintentionally or otherwise0. /Administrators should e9ercise greater care and install only drivers with verified digital signatures.0 The 2oad and unload device drivers setting is configured to .ot defined for the LC and ?C environments. However1 this user right is assigned to only the &dministrators group for the SSL: environment.
9o( on as a service
This policy setting determines whether a security principal can log on as a service. Services can be configured to run under the Local System1 Local Service1 or 8etwork Service accounts1 which have built%in rights to log on as a service. Any service that runs under a separate user account must be assigned this user right. The 2o" on as a service setting is configured to .ot defined for the LC and ?C environments. However1 this user right is assigned only to the 8etwork Service account for the SSL: environment.
:.
The Modify firmware environment values setting is configured to .ot defined for the LC and ?C environments. However1 this user right is assigned to only the &dministrators group for the SSL: environment.
:2
The /eplace a process level to=en setting is configured to .ot defined for the LC and ?C environments. However1 this user right is assigned to only the L$CAL S?K<3C? and 8?T!$KF S?K<3C? accounts for the SSL: environment.
Security Options
The policy settings in the Security $ptions section of Hroup -olicy are used to enable or disable capabilities and features such as floppy disk drive access1 CD%K$M drive access1 and logon prompts. These policy settings are also used to configure various other
:)
settings1 such as those for the digital signing of data1 administrator and guest account names1 and how driver installation works. Bou can configure the security options settings in !indows Server *++, with S-. at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\ 2ocal %olicies\Security +ptions 8ot all of the settings that are included in this section e9ist on all types of computers. Therefore1 the settings that comprise the Security $ptions portion of Hroup -olicy that are defined in this section may need to be manually modified on computers in which these settings are present to make them fully operable. The following sections provide information about the prescribed MSC- security options settings for all three environments that are defined in this guide. :or a summary of the prescribed settings1 see the Microsoft ?9cel workbook G!indows Server *++, Security Huide Settings1G which is included with the downloadable version of this guide. :or information about the default configuration and a detailed e9planation of each of the settings1 see the companion guide1 Threats and Countermeasures Security Settin!s in Windows Server 2003 and Windows XP. The tables in each of the following sections summari'e the recommended settings for the different types of security option settings. Detailed information about the settings is provided in the subsections that follow each table.
3ccounts Settin(s
Table B 12 Security +ptions> &ccounts Settin" /ecommendations Settin" Administrator account status Huest account status 2e"acy Client 8ot defined Disabled !nterprise Client 8ot defined Disabled ?nabled Speciali1ed Security 7 2imited 0unctionality ?nabled Disabled ?nabled
Limit local account use of ?nabled blank passwords to console logon only
:(
&ccounts> 2imit local account use of blan= passwords to console lo"on only
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. 3f this policy setting is enabled1 local accounts with nonblank passwords will not be able to log on to the network from a remote client1 and local accounts that are not password protected will only be able to log on while physically located at the keyboard of the computer. The &ccounts> 2imit local account use of blan= passwords to console lo"on only setting is configured to the default value of !nabled in the baseline policy for all three of the environments that are defined in this guide.
3udit Settin(s
Table B 13 Security +ptions> &udit Settin" /ecommendations Settin" Audit the access of global system ob7ects Audit the use of Cackup and Kestore privilege Shut down system immediately if unable to log security audits 2e"acy Client Disabled Disabled Disabled !nterprise Client Disabled Disabled Disabled Speciali1ed Security 7 2imited 0unctionality Disabled Disabled ?nabled
:'
*evices Settin(s
Table B 1B Security +ptions> -evices Settin" /ecommendations Settin" Allow undock without having to log on Allowed to format and e7ect removable media -revent users from installing printer drivers 2e"acy Client Disabled Administrators ?nabled !nterprise Client Disabled Administrators ?nabled 8ot defined Speciali1ed Security 7 2imited 0unctionality Disabled Administrators ?nabled Disabled
Kestrict CD%K$M access 8ot defined to locally logged%on user only Kestrict floppy access to locally logged%on user only Jnsigned driver installation behavior 8ot defined
8ot defined
Disabled
:6
Therefore1 the recommended value for the -evices> &llowed to format and e,ect removable media setting is the default value of &dministrators in the baseline policy for all three environments that are defined in this guide.
::
:;
:-
@Windows 2000 or laterA session =ey setting is configured to !nabled in the baseline policy for all three environments.
3ote$ 6f "ou enable this polic" settin& "ou will not be able to ?oin computers that run 3indows 2000 to 3indows T (.0 domains.
?nabled Disabled
?nabled Disabled
/Consult with the /Consult with the relevant people in relevant people in your organi'ation.0 your organi'ation.0 /Consult with the /Consult with the relevant people in relevant people in your organi'ation.0 your organi'ation.0 . +
.E days
.E days
.E days
?nabled
?nabled
?nabled
;0
The )nteractive lo"on> -isplay user information w'en t'e session is loc=ed setting is configured to .ot defined for the LC and ?C environments. 3t is configured to (ser display nameC domain and user names in the baseline server policy for the SSL: environment.
;.
)nteractive lo"on> .umber of previous lo"ons to cac'e @in case domain controller is not availableA
This policy setting determines whether a user can log on to a !indows domain with cached account information. Logon information for domain accounts can be cached locally so that if a domain controller cannot be contacted on subse=uent logons1 a user can still log on. This capability may allow users to log on after their account has been disabled or deleted1 because the workstation does not contact the domain controller. This policy setting determines the number of uni=ue users for whom logon information is cached locally. 3f you configure this setting to +1 the logon cache is disabled. The )nteractive lo"on> .umber of previous lo"ons to cac'e @in case domain controller is not availableA setting is configured to 0 in the baseline policy for the ?C and SSL: environments. 3n the LC environment1 the setting is configured to 1 to allow access for legitimate clients when they are unable to contact the domain controller.
;2
The use of smart cards instead of passwords for authentication dramatically increases security1 because current technology makes it almost impossible for an attacker to impersonate another user. Smart cards that re=uire personal identification numbers /-38s0 provide two%factor authentication" the user must possess the smart card and know its -38. An attacker who captures the authentication traffic between the user;s computer and the domain controller will find it e9tremely difficult to decrypt the traffic. ?ven if they can decrypt the traffic1 the ne9t time the user logs onto the network a new session key will be generated to encrypt traffic between the user and the domain controller. Microsoft encourages organi'ations to migrate to smart cards or other strong authentication technologies. However1 you should only enable the )nteractive lo"on> /e8uire smart card setting if smart cards are already deployed. :or this reason1 this policy setting is configured to .ot defined in the baseline policy for the LC and ?C environments. This policy setting is configured to -isabled in the baseline policy for the SSL: environment.
Disabled
Disabled
;)
Therefore1 to increase communications security between computers in this environment1 the Microsoft networ= client> -i"itally si"n communications @alwaysA setting is configured to !nabled in the baseline policy for the ?C and SSL: environments.
Microsoft networ= server> &mount of idle time re8uired before suspendin" session
This policy setting determines the amount of continuous idle time that must pass in an SMC session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMC session. 3f client activity resumes1 the session is automatically reestablished.
;(
The Microsoft networ= server> &mount of idle time re8uired before suspendin" session setting is configured to 1< minutes in the baseline policy for all three environments that are defined in this guide.
;'
?nabled
?nabled
?nabled
?nabled
?nabled
?nabled
Do not allow ?nabled storage of credentials or .8?T -assports for network authentication Let ?veryone permissions apply to anonymous users 8amed -ipes that can be accessed anonymously Disabled
?nabled
?nabled
Disabled
Disabled
8ot defined
8ot defined
C$M8A-1 C$M8$D?1 SXLZXJ?KB1 S-$$LSS1 LLSK-C1 netlogon1 lsarpc1 samr1 browser SystemZ CurrentControlSetZ ControlZ -roduct $ptionsV SystemZ CurrentControlSetZ ControlZ Server ApplicationsV SoftwareZMicrosoftZ
SystemZ CurrentControlSetZ ControlZ -roduct $ptionsV SystemZ CurrentControlSetZ ControlZ Server ApplicationsV
SystemZ CurrentControlSetZ ControlZ -roduct $ptionsV SystemZ CurrentControlSetZ ControlZ Server ApplicationsV
;6
2e"acy Client
!nterprise Client
/see the following /see the following /see the following subsection for subsection for subsection for setting setting information0 setting information0 information0 ?nabled ?nabled
Kestrict ?nabled anonymous access to 8amed -ipes and Shares Shares that can be accessed anonymously Sharing and security model for local accounts 8ot defined
8ot defined
8one
.etwor= access> -o not allow anonymous enumeration of S&M accounts and s'ares
This policy setting determines whether anonymous enumeration of SAM accounts and shares is allowed. The .etwor= access> -o not allow anonymous enumeration of S&M accounts and s'ares setting is configured to !nabled in the baseline policy for all three environments that are defined in this guide.
;:
.etwor= access> -o not allow stora"e of credentials or .!T %assports for networ= aut'entication
This policy setting determines whether settings for Stored (ser .ames and %asswords will save passwords1 credentials1 or Microsoft .8?T -assports for later use after domain authentication is achieved. The .etwor= access> -o not allow stora"e of credentials or .!T %assports for networ= aut'entication setting is configured to !nabled in the baseline policy for all three security environments that are defined in this guide.
3ote$ Chan&es that are made to the confi&uration of this polic" settin& will not take effect until "ou restart 3indows.
;;
I portant$ 6f "ou need to enable this polic" settin&# ensure that "ou onl" add the named pipes that are needed to support the applications in "our environment. As with all recommended settin&s in this &uide# "ou should carefull" test this polic" settin& before "ou deplo" it in a production environment.
;-
The .etwor= access> /estrict anonymous access to .amed %ipes and S'ares setting is configured to the default setting of !nabled in the baseline policy for all three environments that are defined in this guide.
8egotiate signing
-0
Settin" Minimum session security for 8TLM SS- based /including secure K-C0 clients Minimum session security for 8TLM SS- based /including secure K-C0 servers
.etwor= security> -o not store 2&. Mana"er 'as' value on ne3t password c'an"e
This policy setting determines whether the LA8 Manager /LM0 hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger !indows 8T hash. :or this reason1 the .etwor= security> -o not store 2&. Mana"er 'as' value on ne3t password c'an"e setting is configured to !nabled in the baseline policy for all three security environments that are defined in this guide.
3ote$ Cer" old le&ac" operatin& s"stems and some applications ma" fail when this polic" settin& is enabled. Also# "ou will need to chan&e the password on all accounts after this polic" settin& is enabled.
-.
Bou should configure this policy setting to the highest level that your environment allows according to the following guidelines" 3n an environment that includes only !indows 8T E.+ S-E1 !indows *+++1 and !indows 2- -rofessional1 configure this policy setting to Send .T2Mv2 response only\refuse 2M I .T2M on all clients1 and then to Send .T2Mv2 response only\refuse 2M I .T2M on all servers after all clients are configured. The e9ception to this recommendation is !indows Server *++, Kouting and Kemote Access servers1 which will not function properly if this policy setting is configured higher than Send .T2Mv2 response only\refuse 2M. The ?C environment may need to support Kouting and Kemote Access servers1 therefore the .etwor= security> 2&. Mana"er aut'entication level setting for this environment is configured to Send .T2Mv2 response only\refuse 2M in the baseline policy. Kouting and Kemote Access servers are not supported in the SSL: environment1 so the policy setting for this environment is configured to Send .T2Mv2 response only\refuse 2M I .T2M. 3f you have !indows 69 clients on which you can install the DSClient1 configure this policy setting to Send .T2Mv2 response only\refuse 2M I .T2M on computers that run !indows 8T /!indows 8T1 !indows *+++1 and !indows 2- -rofessional0. $therwise1 you must leave this policy setting configured to no higher than Send .T2Mv2 responses only in the baseline policy for computers that do not run !indows 691 which is how the setting is configured for the LC environment. 3f you find applications that break when this policy setting is enabled1 roll it back one step at a time to discover what breaks. At a minimum1 you should configure this policy setting to Send 2M I .T2M 7 use .T2Mv2 session security if ne"otiated in the baseline policy on all computers. Typically1 you can configure it to Send .T2Mv2 responses only on all computers in the environment.
.etwor= security> Minimum session security for .T2M SS% based @includin" secure /%CA clients
This policy setting allows a client to re=uire the negotiation of message confidentiality /encryption01 message signing1 .*>%bit encryption1 or 8TLM version * /8TLMv*0 session security. Configure this policy setting to as high a security level as possible1 but remember that you still need to allow the applications on the network to function. -roper configuration of this policy setting will help ensure that network traffic from 8TLM SS-@ based servers is protected from man%in%the%middle attacks and data e9posure. The .etwor= security> Minimum session security for .T2M SS% based @includin" secure /%CA clients setting is configured to .o minimum in the baseline policy for the LC environment. All settings are enabled for the ?C and SSL: environments.
-2
.etwor= security> Minimum session security for .T2M SS% based @includin" secure /%CA servers
This policy setting allows a server to re=uire the negotiation of message confidentiality /encryption01 message integrity1 .*>%bit encryption1 or 8TLMv* session security. Configure this policy setting to as high a security level as possible1 but remember that you still need to allow the applications on the network to function. Like the previous policy setting1 proper configuration of this policy setting will help ensure that network traffic from 8TLM SS-@based clients is protected from man%in%the%middle attacks and data e9posure. The .etwor= security> Minimum session security for .T2M SS% based @includin" secure /%CA servers security option setting is configured to .o minimum in the baseline policy for the LC environment. All settings are enabled for the ?C and SSL: environments.
/ecovery console> &llow floppy copy and access to all drives and all folders
Bou can enable this policy setting to make the Kecovery Console S!T command available1 which allows you to set the following Kecovery Console environment variables" &llowWildCards. ?nables wildcard support for some commands /such as the D?L command0. &llow&ll%at's. Allows access to all files and folders on the computer.
-)
&llow/emovableMedia. Allows files to be copied to removable media1 such as a floppy disk. .oCopy%rompt. Does not prompt when overwriting an e9isting file.
:or ma9imum security1 the /ecovery console> &llow floppy copy and access to all drives and all folders setting is configured to -isabled in the baseline policy for the SSL: environment. However1 this policy setting is configured to !nabled for the LC and ?C environments.
Shutdown Settin(s
Table B 23 Security +ptions> S'utdown Settin" /ecommendations Settin" Allow system to be shut down without having to log on Clear virtual memory page file 2e"acy Client Disabled Disabled !nterprise Client Disabled Disabled Speciali1ed Security 7 2imited 0unctionality Disabled Disabled
-(
System crypto"rap'y> 0orce stron" =ey protection for user =eys stored on t'e computer
This policy setting determines whether users private keys /such as their S%M3M? keys0 re=uire a password to be used. 3f you configure this policy setting so that users must provide a passwordIdistinct from their domain passwordIevery time that they use a key1 then it will be more difficult for an attacker to access locally stored keys1 even an attacker who discovers logon passwords. :or usability re=uirements in the LC and ?C environments1 the System crypto"rap'y> 0orce stron" =ey protection for user =eys stored on t'e computer setting is configured to (ser is prompted w'en t'e =ey is first used in the baseline policy. To provide additional security1 this policy setting is configured to (ser must enter a password eac' time t'ey use a =ey for the SSL: environment.
System crypto"rap'y> (se 0)%S compliant al"orit'ms for encryptionC 'as'in"C and si"nin"
This policy setting determines whether the Transport Layer Security#Secure Sockets Layer /TLS#SSL0 Security -rovider supports only the TLSPKSAP!3THP,D?SP?D?PCCCPSHA cipher suite. Although this policy setting increases security1 most public !eb sites that are secured with TLS or SSL do not support these algorithms. Many client computers are also not configured to support these algorithms. :or these reasons1 the System crypto"rap'y> (se 0)%S compliant al"orit'ms for encryptionC 'as'in"C and si"nin" setting is configured to -isabled in the baseline policy for the LC and ?C environments. This policy setting is configured to !nabled for the SSL: environment.
-'
!nterprise Speciali1ed Security 7 Client 2imited 0unctionality ?nabled ?nabled ?nabled ?nabled
Strengthen default permissions of ?nabled internal system ob7ects /for e9ample1 Symbolic Links0
System ob,ects> -efault owner for ob,ects created by members of t'e &dministrators "roup
This policy setting determines whether the &dministrators group or an ob7ect creator is the default owner of any system ob7ects that are created. !hen system ob7ects are created1 the ownership will reflect which account created the ob7ect rather than the more generic &dministrators group. The System ob,ects> -efault owner for ob,ects created by members of t'e &dministrators "roup setting is configured to +b,ect creator in the baseline policy for all three environments that are defined in this guide.
System ob,ects> Stren"t'en default permissions of internal system ob,ects @e " Symbolic 2in=sA
This policy setting determines the strength of the default discretionary access control list /DACL0 for ob7ects1 and helps secure ob7ects that can be located and shared among processes. To strengthen the DACL you can use the default value of !nabled1 which it allows users who are not administrators to read shared ob7ects but not to modify any that they did not create. The System ob,ects> Stren"t'en default permissions of internal system ob,ects @e " Symbolic 2in=sA setting is configured to the default value of !nabled in the baseline policy for all three environments that are defined in this guide.
Syste" Settin(s
Table B 2D Security +ptions> System Settin" /ecommendations
-6
Settin" System settings" $ptional subsystems System settings" Jse Certificate Kules on !indows ?9ecutables for Software Kestriction -olicies
System settin"s> (se Certificate /ules on Windows !3ecutables for Software /estriction %olicies
This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .e9e file name e9tension. 3t enables or disables certificate rules /a type of software restriction policies rule0. !ith software restriction policies1 you can create a certificate rule that will allow or disallow the e9ecution of Authenticode(%signed software1 based on the digital certificate that is associated with the software. :or certificate rules to take effect in software restriction policies1 you must enable this policy setting. The System settin"s> (se Certificate /ules on Windows !3ecutables for Software /estriction %olicies setting is configured to !nabled in the SSL: environment. However1 it is configured to -isabled in the ?C environment and to .ot defined in the LC environment because of the potential performance impact.
vent 9o(
The event log records events on the computer1 and the Security log records audit events. The event log container of Hroup -olicy is used to define attributes of the Application1 Security1 and System event logs1 such as ma9imum log si'e1 access rights for each log1 and retention settings and methods. The settings for the Application1 Security1 and System event logs are configured in the MSC- and applied to all member servers in the domain. Bou can configure the event log settings in !indows Server *++, with S-. at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\!vent 2o" This section provides details about the prescribed MSC- event log settings for all three environments that are defined in this guide. :or a summary of the prescribed settings in this section1 see the Microsoft ?9cel workbook G!indows Server *++, Security Huide Settings1G which is available in the downloadable version of this guide. :or information about the default configuration and a detailed e9planation of each of the settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
-:
The following table summari'es the event log setting recommendations for the three environments that are defined in this guide. Additional information about each setting is provided in the subsections that follow the table. Table B 2E !vent 2o" Settin" /ecommendations Settin" Ma9imum application log si'e Ma9imum security log si'e Ma9imum system log si'e -revent local guests group from accessing application log -revent local guests group from accessing security log -revent local guests group from accessing system log Ketention method for application log Ketention method for security log Ketention method for system log 2e"acy Client .L1,>E FC >.16*+ FC .L1,>E FC ?nabled ?nabled ?nabled As needed As needed As needed !nterprise Speciali1ed Security 7 Client 2imited 0unctionality .L1,>E FC >.16*+ FC .L1,>E FC ?nabled ?nabled ?nabled As needed As needed As needed .L1,>E FC >.16*+ FC .L1,>E FC ?nabled ?nabled ?nabled As needed As needed As needed
-;
Ke=uirements for the System log si'e vary1 and depend on the function of the platform and the need for historical records. The Ma3imum system lo" si1e setting is configured to the default value of 1DC3FB K# in the baseline policy for all three environments that are defined in this guide.
--
will always store the most recent eventsIalthough this configuration could result in a loss of historical data. The /etention met'od for application lo" setting is configured to &s needed in the baseline policy for all three environments that are defined in this guide.
3dditiona# $e(istry
ntries
Additional registry entries /also called re!istry va#ues0 were created for the baseline security template files that are not defined within the default Administrative Template /.adm0 file for the three security environments that are defined in this guide. The .adm files define the policies and restrictions for the desktop1 shell1 and security for !indows Server *++,. These registry entries are embedded within the security templates /in the GSecurity $ptionsG section0 to automate the changes. 3f the policy is removed1 these registry entries are not automatically removed with itV they must be manually changed with a registry editing tool such as Kegedt,*.e9e. The same registry entries are applied across all three environments. This guide includes additional registry entries that are added to the Security Configuration ?ditor /SC?0. To add these registry entries1 you need to modify the Sceregvl.inf file /located in the $windir$\inf folder0 and re%register the Scecli.dll file. The original security entries1 as well as the additional ones1 appear under 2ocal %olicies\Security in the snap%ins and tools that are listed earlier in this chapter. Bou will need to update the Sceregvl.inf file and re%register the Scecli.dll file for any computers on which you will edit the security templates and Hroup -olicies that are provided with this guide. Details about how to update these files are provided in the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56. This section is only a summary of the additional registry entries that are described in detail in the companion guide. :or information about the default settings and a detailed e9planation of each of the settings that are discussed in this section1 see Threats and Countermeasures Security Settin!s in Windows Server 2003 and Windows XP.
.00
+ . + ,++1+++ * * , +
+ . + ,++1+++ * * , +
Other $e(istry
ntries
$ther recommended registry entries that are not specific to TC-#3- are listed in the following table. Additional information about each entry is provided in the subsections that follow the table. Table B 2: +t'er /e"istry !ntry /ecommendations
.0.
/e"istry entry
0ormat
2e"acy Client
!nterprise Client
MSS" /8o8ameKelease$nDemand0 Allow the computer to ignore 8etC3$S name release re=uests e9cept from !38S servers MSS" /8tfsDisable>dot,8ameCreation0 ?nable the computer to stop generating >., style filenames /recommended0 MSS" /8oDriveTypeAutoKun0 Disable Autorun for all drives /recommended0 MSS" /ScreenSaverHrace-eriod0 The time in seconds before the screen saver grace period e9pires /+ recommended0
D!$KD
D!$KD
D!$KD
+9::
+9::
+9::
String
MSS" /!arningLevel0 -ercentage D!$KD threshold for the security event log at which the system will generate a warning MSS" /SafeDllSearchMode0 ?nable Safe DLL search mode /recommended0 MSS" /AutoKeboot0 Allow !indows to automatically restart after a system crash /recommended e9cept for highly secure environments0 MSS" /AutoAdminLogon0 ?nable Automatic Logon /not recommended0 MSS" /AutoShare!ks0 ?nable Administrative Shares /recommended e9cept for highly secure environments0 MSS" /DisableSave-assword0 -revent the dial%up password from being saved /recommended0 MSS" /8oDefault?9empt0 ?nable 8oDefault?9empt for 3-Sec :iltering /recommended0 D!$KD
6+
6+
6+
D!$KD
D!$KD
D!$KD
D!$KD
D!$KD
.02
Confi"ure .et#)+S .ame /elease Security> &llow t'e computer to i"nore .et#)+S name release re8uests e3cept from W).S servers
This entry appears as MSS> @.o.ame/elease+n-emandA &llow t'e computer to i"nore .et#)+S name release re8uests e3cept from W).S servers in the SC?. 8etC3$S over TC-#3- is a network protocol that /among other things0 provides a way to easily resolve 8etC3$S names that are registered on !indows%based computers to the 3- addresses that are configured on those computers. This value determines whether the computer releases its 8etC3$S name when it receives a name%release re=uest. Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\System\CurrentControlSet\Services\.etbt\%arame ters\ subkey.
-isable &uto Generation of F 3 0ile .ames> !nable t'e computer to stop "eneratin" F 3 style filenames
This entry appears as MSS> @.tfs-isableFdot3.ameCreationA !nable t'e computer to stop "eneratin" F 3 style filenames @recommendedA in the SC?. !indows Server *++, with S-. supports >., file name formats for backward compatibility with.L%bit applications. The >., file name convention is a format that only allows file names of eight characters or less. Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\System\CurrentControlSet\Control\0ileSystem\ subkey.
Ma=e Screensaver %assword %rotection )mmediate> T'e time in seconds before t'e screen saver "race period e3pires @0 recommendedA
This entry appears as MSS> @ScreenSaverGrace%eriodA T'e time in seconds before t'e screen saver "race period e3pires @0 recommendedA in the SC?. !indows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled.
.0)
Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\Software\Microsoft\Windows .T\Current6ersion\ Winlo"on\ subkey.
Security 2o" .ear Capacity Warnin"> %ercenta"e t'res'old for t'e security event lo" at w'ic' t'e system will "enerate a warnin"
This entry appears as MSS> @Warnin"2evelA %ercenta"e t'res'old for t'e security event lo" at w'ic' t'e system will "enerate a warnin" in the SC?. This option became available with S-, for !indows *+++. 3t generates a security audit in the Security log when its si'e reaches a user%defined threshold. :or e9ample1 if you configure the value for this registry entry to 6+ and the Security log reaches 6+ percent of capacity1 the log will show one entry with an event3D of 5*, that reads as follows" SThe security event log is 6+ percent full.T
3ote$ 6f "ou confi&ure lo& settin&s to 4verwrite events as needed or 4verwrite events o$der than 1 days# this event will not be &enerated.
Bou can add this registry value to the security template file in the ?K!HL2+C&2LM&C?).!\ SHST!M\CurrentControlSet\Services\!ventlo"\Security\ subkey.
!nable Safe -22 Searc' +rder> !nable Safe -22 searc' mode @recommendedA
This entry appears as MSS> @Safe-llSearc'ModeA !nable Safe -22 searc' mode @recommendedA in the SC?. The DLL search order can be configured to search for DLLs that are re=uested by running processes in one of two ways" Search folders that are specified in the system path first1 and then search the current working folder. Search the current working folder first1 and then search the folders that are specified in the system path.
The registry value is configured to .1 which causes the computer to first search the folders that are specified in the system path and then the current working folder. 3f you configure this entry to +1 the computer first searches the current working folder and then the folders that are specified in the system path. Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\ SHST!M\CurrentControlSet\Control\Session Mana"er\ subkey.
.0(
-isable Saved %asswords> %revent t'e dial*up password from bein" saved
This entry appears as MSS> @-isableSave%asswordA %revent t'e dial*up password from bein" saved @recommendedA in the SC?. Cy default1 !indows will offer the option to save passwords for dial%up and <-8 connections1 which is not desirable on a server. Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\System\CurrentControlSet\Services\2anmanServ er\ %arameters\ subkey.
.0'
!nable )%Sec to protect Kerberos /S6% Traffic> !nable .o-efault!3empt for )%Sec 0ilterin"
This entry appears as MSS> @.o-efault!3emptA !nable .o-efault!3empt for )%Sec 0ilterin" @recommendedA in the SC?. The default e9emptions to 3-sec policy filters are documented in the Microsoft !indows Server *++, online help. These filters make it possible for 3nternet Fey ?9change /3F?0 and the Ferberos authentication protocol to function. The filters also make it possible for the network Xuality of Service /XoS0 to be signaled /KS<-0 when the data traffic is secured by 3-sec1 and for traffic that 3-sec might not secure /such as multicast and broadcast traffic0. Bou can add this registry value to the template file in the ?K!HL2+C&2LM&C?).!\System\CurrentControlSet\Services\)%S!C\ subkey.
$estricted Groups
The Kestricted Hroups capability allows you to manage group membership through policy mechanisms and prevent either deliberate or inadvertent e9ploitation of groups that have powerful user rights. Bou should first review the needs of your organi'ation to determine the groups that you want to restrict. The #ac=up +perators and %ower (sers groups are restricted in all three environments that are defined in this guide. Although members of the #ac=up +perators and %ower (sers groups have less access than members in the &dministrators group1 they still have powerful capabilities.
3ote: 6f "our or&ani>ation uses an" of these &roups# then carefull" control their membership and do not implement the &uidance for the 4estricted 5roups settin&. 6f "our or&ani>ation adds users to the 8ower /sers &roup# "ou ma" want to implement the optional file s"stem permissions that are described in the followin& K+ecurin& the ,ile +"stemL section.
Bou can configure the Kestricted Hroups setting in !indows Server *++, with S-. at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\/estricted Groups\ Administrators may configure restricted groups by adding the desired group directly to the MSC-. !hen a group is restricted1 you can define its members and any other groups to which it belongs. 3f you do not specify these group members1 the group remains totally restricted.
.06
3ote$ Jou should thorou&hl" test an" chan&es to the default file s"stem securit" settin&s in a lab environment before "ou deplo" them in a lar&e or&ani>ation. There have been cases in which file permissions have been altered to a point that re=uired the affected computers to be completel" rebuilt.
The default file permissions in !indows Server *++, with S-. are sufficient for most situations. However1 if you do not plan to block membership of the %ower (sers group with the Kestricted Hroups feature or if you plan to enable the .etwor= access> 2et !veryone permissions apply to anonymous users setting1 you may want to apply the optional permissions that are described in the paragraph that follows. They are very specific1 and they apply additional restrictions to certain e9ecutable tools that a malicious user with elevated privileges may use to further compromise the computer or network. 8ote how these changes do not affect multiple folders or the root of the system volume. 3t can be very risky to change permissions in that manner1 and doing so can often cause computer instability. All of the following files are located in the $System/oot $\System32\ folder1 and they are all given the following permissions" &dministrators> 0ull ControlC System> 0ull Control. regedit.e9e arp.e9e at.e9e attrib.e9e cacls.e9e debug.e9e edlin.e9e eventcreate.e9e eventtriggers.e9e ftp.e9e nbtstat.e9e net.e9e net..e9e netsh.e9e netstat.e9e nslookup.e9e ntbackup.e9e rcp.e9e reg.e9e regedt,*.e9e regini.e9e regsvr,*.e9e re9ec.e9e route.e9e rsh.e9e sc.e9e secedit.e9e subst.e9e systeminfo.e9e telnet.e9e tftp.e9e tlntsvr.e9e
:or your convenience1 these optional permissions are already configured in the security template called +ptional*0ile*%ermissions inf1 which is included with the downloadable version of this guide.
.0:
Table B 30 Manually &dded (ser /i"'ts &ssi"nments Settin" .ame in () Deny access to this computer from the network 2e"acy Client !nterprise Client Speciali1ed Security 7 2imited 0unctionality Cuilt%in AdministratorV SupportP,>>6E5a+V HuestV all 8$8% $perating System service accounts SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV HuestsV SupportP,>>6E5a+V HuestV all 8$8% operating system service accounts
Cuilt%in Cuilt%in AdministratorV AdministratorV SupportP,>>6E5a+V SupportP,>>6E5a+V HuestV all 8$8% $perating System service accounts HuestV all 8$8% $perating System service accounts SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV HuestsV SupportP,>>6E5a+V Huest V all 8$8% operating system service accounts
SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV HuestsV SupportP,>>6E5a+V Huest V all 8$8% operating system service accounts
I portant$ All 1 -operatin& s"stem service accounts are service accounts for specific applications in "our enterprise. These accounts do not include !1CA! +J+T2M# !1CA! +24C6C2# or the 2T314< +24C6C2 accounts that are built-in accounts for the operatin& s"stem.
To manually add the listed security groups to the ?nterprise Client % Member Server Caseline -olicy1 complete the following steps. To add security "roups to t'e (ser /i"'ts &ssi"nments 3n Active Directory Jsers and Computers1 right%click the Member Servers $J1 and then select %roperties. .. $n the Hroup -olicy tab1 select the ?nterprise Client Member Server Caseline -olicy to edit the linked H-$.
.0;
*. Select ?nterprise Client @ Member Server Caseline -olicy1 and then click ?dit. ,. 3n the Hroup -olicy window1 click Computer ConfigurationZ!indows SettingsZSecurity SettingZLocal -oliciesZJser Kights Assignment to add the uni=ue security groups from the previous table for each right. E. Close the Hroup -olicy that you modified. 5. Close the Member Servers $J -roperties window. L. :orce replication between the domain controllers so that all have the policy applied to them by doing the following" a. $pen a command prompt1 type "pupdate 50orce and press ?8T?K to force the server to refresh the policy. b. Keboot the server. N. <erify in the event log that the Hroup -olicy downloaded successfully and that the server can communicate with the other domain controllers in the domain.
3ote$ The built-in Administrator account can be renamed throu&h 5roup 8olic". This settin& was not implemented in the baseline polic" because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename administrator accounts in all three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.0-
.T0S
8T:S partitions support ACLs at the file and folder levels. This support is not available with the file allocation table /:AT0 or :AT,* file systems. :AT,* is a version of the :AT file system that has been updated to permit significantly smaller default cluster si'es and to support hard disks up to two terabytes in si'e. :AT,* is included in !indows 65 $SK*1 !indows 6>1 Microsoft !indows Me1 !indows *+++1 !indows 2- -rofessional1 and !indows Server *++,. :ormat all partitions on every server with 8T:S. Jse the convert utility to carefully convert :AT partitions to 8T:S1 but remember that the convert utility will set the ACLs for the converted drive to !veryone> 0ull Control. :or computers that run !indows *++, Server with S-.1 apply the following two security templates locally to configure the default file system ACLs for member servers and domain controllers respectively" $windir$\inf\defltsv inf $windir$\inf\defltdc inf
3ote$ The default domain controller securit" settin&s are applied durin& the promotion of a server to a domain controller.
All partitions on servers in all three environments that are defined in this guide are formatted with 8T:S partitions to provide the means for file and directory security management through ACLs.
..0
The three available levels of encryption are described in the following table" Table B 32 Terminal Services !ncryption 2evels !ncryption level High level -escription ?ncrypts data that is sent from client to server and from server to client with strong .*>%bit encryption. Jse this level when the terminal server runs in an environment that contains .*>%bit clients only /such as Kemote Desktop Connection clients0. Clients that do not support this level of encryption will not be able to connect. ?ncrypts data that is sent between the client and the server at the ma9imum key strength that is supported by the client. Jse this level when the terminal server runs in an environment that contains mi9ed or legacy clients. ?ncrypts data that is sent from the client to the server with 5L%bit encryption. )mportant" Data sent from the server to the client is not encrypted.
Client Compatible
Low level
rror $eportin(
Table B 33 /ecommended !rror /eportin" Settin"s Settin" Turn off !indows ?rror Keporting 2e"acy Client ?nabled !nterprise Client ?nabled Speciali1ed Security 7 2imited 0unctionality ?nabled
This service helps Microsoft track and address errors. Bou can configure this service to generate reports for operating system errors1 !indows component errors1 or program errors. 3t is only available in !indows 2- -rofessional and !indows Server *++,. The !rror /eportin" service can report such errors to Microsoft through the 3nternet or to an internal file share. Although error reports can potentially contain sensitive or even confidential data1 the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. However1 the data is transmitted in plainte9t HTT-1 which could be intercepted on the 3nternet and viewed by third parties. The Turn off Windows !rror /eportin" setting can control whether the ?rror Keporting service transmits any data. Bou can configure this policy setting in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\&dministrative Templates\System\)nternet Communications Mana"ement\)nternet Communications settin"s Configure the Turn off Windows !rror /eportin" setting to !nabled in the DCC- for all three environments that are defined in this guide.
...
valuable to capture memory dumps on some servers1 you can follow the instructions that are provided in !indows feature allows a Memory.dmp file to be generated with the keyboard at http"##support.microsoft.com#default.asp9?kbid4*EE.,6.
I portant: 3hen memor" is copied to disk as described in the referenced article# sensitive information ma" be included in the Memor".dmp file. 6deall"# all servers are protected from unauthori>ed ph"sical access. 6f "ou &enerate a memor" dump file on a server that is at risk for ph"sical compromise# be sure to delete the dump file after troubleshootin& is concluded.
..2
.*. ?nsure the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. .,. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .5. 3nclude the appropriate security template /for e9ample1 ?C%Member Server Caseline.inf0. .L. Save the policy with an appropriate name /for e9ample1 Member Server Caseline.9ml0.
..)
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the server hardening procedures that were initially applied to all of the servers that run !indows Server *++, with S-. in all three security environments that are defined in this guide. Most of these procedures created a uni=ue security template for each security environment and imported it into a H-$ that is linked to the parent $J for the member server to achieve the targeted level of security. However1 some of these hardening procedures cannot be applied through Hroup -olicy. Huidance was provided about how to configure these settings manually. Additional steps were taken for specific server roles to enable them to function within their roles as securely as possible. Server role%specific steps include both additional hardening procedures and procedures to reduce the security settings in the baseline security policy. These changes are discussed in detail in the following chapters of this guide.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening servers that run !indows Server *++, with S-.. :or more information about !indows Server *++, security settings1 see the Security Setting Descriptions page at http"##technet*.microsoft.com#!indowsServer#en#Library#dd6>+ca,%fL>L%Effc%aL.N% 5+cL*E+f55>*.+,,.msp9. :or more information about security for !indows Server *++,1 see the !indows Server *++, Security Center at www.microsoft.com#technet#security#prodtech#windowsserver*++,.msp9.
..(
:or more information about audit policy for !indows Server *++,1 see the Auditing -olicy page at http"##technet*.microsoft.com#!indowsServer#en#Library#L>ENeN*b% 6cEN%E*ab%b,e,%L6.addac6f,,.+,,.msp9. :or more information about Microsoft $perations Manger /M$M01 see the Microsoft $perations Manager page at www.microsoft.com#mom#. :or more information about user rights in !indows Server *++,1 see the Jser rights page at http"##technet*.microsoft.com#!indowsServer#en#Library#5>66>+fb%.a>,% E6+e%aNE5%,5NN5+ced,d6.+,,.msp9. :or more information about default security settings for !indows Server *++,1 see the Differences in default security settings page at http"##technet*.microsoft.com#!indowsServer#en#Library#.E6Ebf*c%b56L%EN>5%6,bb% bc>Lf>e5E>d5.+,,.msp9. :or more information about how to secure !indows *+++ Terminal Services1 see SSecuring !indows *+++ Terminal ServicesT at www.microsoft.com#technet#prodtechnol#win*kts#maintain#optimi'e#secw*kts.msp9. :or more information about how to secure the !indows Server *++, TC-#3- stack1 see the Microsoft Fnowledge Case article GHow To Harden the TC-#3- Stack Against Denial of Service Attacks in !indows Server *++,G at http"##support.microsoft.com#? kbid4,*E*N+. :or more details about how to harden the settings for !indows Sockets applications1 see the Microsoft Fnowledge Case article G3nternet Server Jnavailable Cecause of Malicious SB8 AttacksG at http"##support.microsoft.com#?kbid4.E*LE.. :or more information about the location of .adm files1 see the Microsoft Fnowledge Case article GLocation of ADM /Administrative Template0 :iles in !indowsG at http"##support.microsoft.com#?kbid4**>EL+. :or more information about how to customi'e the Security Configuration ?ditor user interface1 see the Microsoft Fnowledge Case article SHow to Add Custom Kegistry Settings to Security Configuration ?ditorT at http"##support.microsoft.com#? kbid4*.EN5*. :or more information about how to create custom administrative template files in !indows1 see the Microsoft Fnowledge Case article SH$! T$" Create Custom Administrative Templates in !indows *+++T at http"##support.microsoft.com#? kbid4,*,L,6. Also review the white paper SJsing Administrative Template :iles with Kegistry%Cased Hroup -olicyT at www.microsoft.com#technet#prodtechnol#windowsserver*++,#technologies#managem ent#gp#admtgp.msp9. :or more information about ensuring that more secure LA8 Manager authentication level settings work in networks with a mi9 of !indows *+++ and !indows 8T E.+ computers1 see the Microsoft Fnowledge Case article GAuthentication -roblems in !indows *+++ with 8TLM * Levels Above * in a !indows 8T E.+ DomainG at http"##support.microsoft.com#?kbid4,+5,N6. :or more information about 8TLMv* authentication1 see the Microsoft Fnowledge Case article GHow to enable 8TLM * authenticationG at http"##support.microsoft.com#? kbid4*,6>L6. :or more information about the default settings for services in !indows Server *++,1 see the Default settings for services page at http"##technet*.microsoft.com#!indowsServer#en#Library#*b.dcLcf%*e,E%EL>.%6aaL% >d+ffba*d,e,.+,,.msp9. :or more information about smart card deployment1 see SHet SmartU Coost Bour 8etwork;s 3X !ith Smart CardsT at www.microsoft.com#technet#technetmag#issues#*++5#+.#SmartCards#default.asp9.
..'
:or more information about the GKestrict AnonymousG registry value and !indows *+++1 see the Microsoft Fnowledge Case article SThe GKestrictAnonymousG Kegistry <alue May Creak the Trust to a !indows *+++ DomainT at http"##support.microsoft.com#?kbid4*6LE+5. :or more information about error reporting1 see the Corporate ?rror Keporting page at www.microsoft.com#resources#satech#cer#. :or information about network ports used by Microsoft applications1 see the Microsoft Fnowledge Case article GService overview and network port re=uirements for the !indows Server systemG at http"##support.microsoft.com#kb#>,*+.N.
..:
Table < 1 -omain Controller #aseline Security Templates 2e"acy Client !nterprise Client Speciali1ed Security 7 2imited 0unctionality SSL:%Domain Controller.inf
3ote$ 7omain operations could be severel" impaired if an incorrectl" confi&ured 5roup 8olic" ob?ect @581A is linked to the 7omain Controllers 1/. /se e0treme care when "ou import these securit" templates# and verif" that all imported polic" settin&s are correct before "ou link a 581 to the 7omain Controllers 1/.
..;
8ot defined
8ot defined
8ot defined Administrators1 Server $perators1 Cackup $perators Administrators Administrators1 L$CAL S?K<3C? 8ot Defined
8ot defined Administrators1 Server $perators1 Cackup $perators Administrators Administrators1 L$CAL S?K<3C? 8ot Defined
Allow log on through Terminal Services Change the system time ?nable computer and user accounts to be trusted for delegation Load and unload device drivers Kestore files and directories Shutdown the system
..-
to domain controllers from users and from computers1 and for access to shared folders and printers. Although permissions that are assigned to the !veryone security group no longer provide access to anonymous users in !indows Server *++, with S-.1 guest groups and accounts can still be provided with access through the !veryone security group. :or this reason1 the !veryone security group is removed from the &ccess t'is computer from t'e networ= user right in the DCC- for the SSL: environment. Kemoval of this group provides an e9tra safeguard against attacks that target guest access to the domain. This policy setting is configured to .ot defined for the LC and ?C environments.
.20
other workstations. $nly users in the &dministrators group should perform maintenance tasks on domain controllers. 3f you assign the &llow lo" on locally user right only to the &dministrators group1 physical and interactive domain controller access is limited to only highly trusted users1 which enhances security. :or this reason1 the &llow lo" on locally user right is assigned only to the &dministrators group in the DCC- for the SSL: environment. This policy setting is configured to include the Server +perators and #ac=up +perators groups for the LC and ?C environments.
.2.
:or more information on the Microsoft !indows( Time Service1 see the !indows Time Service Technical Keference at http"##technet*.microsoft.com#!indowsServer#en#Library#a+fcd*5+%e5fN%E.b,%b+e>% *E+f>*,Le*.+.+,,.msp9.
.22
Cy default1 the /estore files and directories user right is assigned to the Server +perators and #ac=up +perators groups. 3f you remove this user right from these groups and assign it only to the &dministrators group1 the likelihood of domain controller compromise by improper modifications to the file system is reduced. Therefore1 the /estore files and directories user right is assigned only to the &dministrators group in the DCC- for all three environments that are defined in this guide.
Security Options
Most of the security option settings for domain controllers are the same as those specified in the MSC-. :or more information1 see Chapter E1 GThe Member Server Caseline -olicy.G Differences between the MSC- and the DCC- policy settings are described in the following sections.
.2)
guide. The impact of this policy setting configuration should be small for most organi'ations. Jsers1 including those in the Server +perators group1 will still be able to create 7obs by means of the Task Scheduler !i'ard1 but those 7obs will run in the conte9t of the account with which the user authenticates when they set up the 7ob.
3ote$ An AT +ervice Account can be modified to select a different account rather than the !1CA! +J+T2M account. To chan&e the account# open +"stem Tools# click Schedu$ed !as5s# and then click 0ccessories folder. Then click 0! Service 0ccount on the 0dvanced menu.
;etwork security: *o not store 93; )ana(er hash va#ue on ne!t password chan(e
This policy setting determines whether the LA8 Manager /LM0 hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger !indows 8T( hash.
.2(
:or this reason1 the DCC- enables the .etwor= security> -o not store 2&. Mana"er 'as' value on ne3t password c'an"e setting in all three environments that are defined in this guide.
3ote$ 1lder operatin& s"stems and some third-part" applications ma" fail if "ou enable this polic" settin&. ,or e0ample# 3indows -' and 3indows -; will fail if the" do not have the Active 7irector" Client 20tension installed. Also# all accounts will be re=uired to chan&e their password if "ou enable this polic" settin&.
$estricted Groups
As described in the previous chapter1 the /estricted Groups setting allows you to manage the membership of groups in !indows Server *++, with S-. through Active Directory Hroup -olicy. :irst1 review the needs of your organi'ation to determine the groups you want to restrict. :or domain controllers1 the Server +perators and #ac=up +perators groups are restricted in all three environments that are defined in this guide. Although members of the Server +perators and #ac=up +perator groups have less access than members in the &dministrators group1 they still have powerful capabilities.
3ote: 6f "our or&ani>ation uses an" of these &roups# then carefull" control their membership and do not implement the &uidance for the +estricted Groups settin&. 6f "our or&ani>ation adds users to the +erver /sers &roup# "ou ma" want to implement the optional file s"stem permissions that are described in the K+ecurin& the ,ile +"stemL section in the previous chapter.
Table < E /estricted Groups /ecommendations 2ocal Group Cackup $perators Server $perators 2e"acy Client 8o members 8o members !nterprise Client 8o members 8o members Speciali1ed Security 7 2imited 0unctionality 8o members 8o members
The /estricted Groups setting can be configured in !indows Server *++, with S-. at the following location in the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\/estricted Groups\ To configure restricted groups for a H-$1 administrators can add the desired group directly to the /estricted Groups node of the H-$ namespace. !hen a group is restricted1 you can define its members and any other groups to which it belongs. 3f you do not specify these group members1 the group is left totally restricted. Hroups can only be restricted with security templates.
.2'
To view or modify t'e /estricted Groups settin" .. $pen the Security Templates Management Console.
3ote$ The +ecurit" Templates Mana&ement Console is not added to the Administrative Tools menu b" default. To add it# start the Microsoft Mana&ement Console @mmc.e0eA and add the +ecurit" Templates Add-in.
*. Double%click the configuration file directory1 and then the configuration file. ,. Double%click the /estricted Groups item. E. Kight%click /estricted Groups. 5. Select &dd Group. L. Click the #rowse button1 then 2ocations1 select the locations you want to browse1 and then click +K.
3ote$ T"picall"# this action will cause a local computer to displa" at the top of the list.
N. Type the group name in the !nter t'e ob,ect names to select te9t bo9 and then click the C'ec= .ames button. @ or @ Click the &dvanced button1 and then the 0ind .ow button to list all available groups. >. Select the groups you want to restrict1 and then click +K. 6. Click +K on the &dd Groups dialog bo9 to close it. 3n this guidance1 all membersIusers and groupsIof the Server +perators and #ac=up +perators groups were removed to totally restrict them in both environments. Also1 for the SSL: environment1 all members were removed for the /emote -es=top (sers group. Microsoft recommends that you restrict any built%in group you do not plan to use in your organi'ation.
3ote$ The confi&uration of 4estricted 5roups that is described in this section is ver" simple. Cersions of 3indows F8 with +8. and +82 as well as 3indows +erver 200) support more comple0 desi&ns. ,or more information# see the Microsoft <nowled&e 9ase article K/pdates to 4estricted 5roups @HMember ofHA 9ehavior of /ser-7efined !ocal 5roupsL at http$%%support.microsoft.com%default.asp0OkbidP;.00:6.
.26
accordance with the recommendations in Chapter (# HThe Member +erver 9aseline 8olic"#H ensure that "ou select the newl" renamed administrator account when "ou add the account to an" den" access user ri&hts.
Table < F Manually &dded (ser /i"'ts &ssi"nments Settin" Deny access to this computer from the network 2e"acy Client Cuilt%in AdministratorV SupportP,>>6E5a+V HuestV all 8$8% $perating System service accounts SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV all 8$8%operating system service accounts !nterprise Client Cuilt%in AdministratorV SupportP,>>6E5a+V HuestV all 8$8% $perating System service accounts SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV all 8$8%operating system service accounts Speciali1ed Security 7 2imited 0unctionality Cuilt%in AdministratorV SupportP,>>6E5a+V HuestV all 8$8% $perating System service accounts SupportP,>>6E5a+ and Huest Cuilt%in AdministratorV all 8$8%operating system service accounts
I portant$ KAll non-operatin& s"stem service accountsL includes service accounts that are used for specific applications across an enterprise# but does 1T include !1CA! +J+T2M# !1CA! +24C6C2 or the 2T314< +24C6C2 accounts @the built-in accounts that the operatin& s"stem usesA.
*irectory Services
Domain controllers that run !indows Server *++, with S-. store directory data and manage user and domain interactions1 including user logon processes1 authentication1 and directory searches.
.2:
This guide recommends that you increase the ma9imum si'e of the Directory Service and :ile Keplication Service log files from the 5.* FC default to .L MC on the domain controllers in the three environments that are defined in this guide.
(sin" Sys=ey
$n domain controllers1 password information is stored in Active Directory. 3t is not unusual for password%cracking software to target the Security Accounts Manager /SAM0 database or directory services to access passwords for user accounts. The System Fey utility /Syskey0 provides an e9tra line of defense against offline password%cracking software. Syskey uses strong encryption techni=ues to secure account password information that is stored in the SAM on the domain controller. Table < : Sys=ey Modes System Key option Mode ." System Henerated -assword1 Store Startup Fey Locally Security level Secure -escription Jses a computer%generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry1 and enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.
More secure Jses a computer%generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator%chosen password. Jsers are prompted for the system key password when the computer is in the initial startup se=uence. The system key password is not stored anywhere on the computer. Most secure Jses a computer%generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is re=uired for the computer to start1 and it must be inserted at a prompt during the startup se=uence. The system key is not stored anywhere on the computer.
Mode ," System Henerated -assword1 Store Startup Fey on :loppy Disk
Syskey is enabled on all !indows Server *++, with S-. servers in Mode . /obfuscated key0. :rom a security standpoint1 this configuration appears sensible at first. However1 Syskey in Mode . allows an attacker to read and alter the contents of the directory1 which would render the domain controller easily vulnerable to an attacker with physical access. There are many reasons to recommend using Syskey in Mode * /console password0 or Mode , /floppy storage of Syskey password0 for any domain controller that is e9posed to physical security threats. However1 the operational need to restart domain controllers tends to make Syskey Mode * or Mode , difficult to support. To take advantage of the added protection provided by these Syskey modes1 the proper operational processes must be implemented in your environment to meet specific availability re=uirements for the domain controllers. The logistics of Syskey password or floppy disk management can be =uite comple91 especially in branch offices. :or e9ample1 it can be very e9pensive to re=uire one of your branch managers or local administrative staff to come to the office at , A.M. to enter
.2;
passwords or insert a floppy to enable user access. Such e9pensive re=uirements can make the achievement of high availability service level agreements /SLAs0 a significant challenge. Alternatively1 if you decide to allow your centrali'ed 3T operations personnel to provide the Syskey password remotely1 additional hardware is re=uired. Some hardware vendors have add%on solutions that allow you to remotely access server consoles. :inally1 the loss of the Syskey password or floppy disk would leave your domain controller in a state where it cannot be restarted. There is no method for you to recover a domain controller if the Syskey password or floppy disk is lost. 3f this happens1 the domain controller must be rebuilt. !ith the proper operational procedures in place1 Syskey can provide an increased level of security to protect sensitive directory information on domain controllers. :or these reasons1 Syskey Mode * or Mode , is recommended for domain controllers in locations without strong physical storage security. This configuration applies to domain controllers in all three environments that are described in this guide. To create or update a system =ey .. Click Start1 click /un1 type sys=ey1 and then click +K. *. Click !ncryption !nabled1 and then click (pdate. ,. Click the desired option1 and then click +K.
.2-
:or these reasons1 the routers that are used in the three environments that are defined in this guide are configured to drop spoofed 3- packets1 which helps ensure that the 3addresses of the D8S servers are not spoofed by other computers.
Jse of secure dynamic D8S updates guarantees that registration re=uests are only processed if they are sent from valid clients in an Active Directory forest. This method severely limits the ability of an attacker to compromise the integrity of a D8S server. :or these reasons1 the Active Directory D8S servers in the three environments that are defined in this guide are configured to accept only secure dynamic updates.
.)0
3ote$ The built-in administrator account can be renamed throu&h 5roup 8olic". This polic" settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename administrator accounts in all three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.).
service accounts1 see The Services and Service Accounts Security -lanning Huide at http"##go.microsoft.com#fwlink#?Link3d4E.,...
The Set client connection encryption level setting determines the level of encryption for Terminal Services client connections in your environment. The ?i"' 2evel option that uses .*>%bit encryption prevents an attacker from eavesdropping on Terminal Services sessions with a packet analy'er. Some older versions of the Terminal Services client do not support this high level of encryption. 3f your network contains such clients1 set the encryption level of the connection to send and receive data at the highest encryption level that is supported by the client. The Set client connection encryption level setting is configured to !nabled and ?i"' 2evel encryption is selected in the DCC- for the three security environments that are defined in this guide. Bou can configure this policy setting in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\&dministrative Templates\Windows Components\ Terminal Services\!ncryption and Security The three available levels of encryption are described in the following table" Table < 11 Terminal Services !ncryption 2evels !ncryption level High level -escription ?ncrypts data that is sent from client to server and from server to client with strong .*>%bit encryption. Jse this level when the Terminal Server runs in an environment that contains .*>%bit clients only /such as Kemote Desktop Connection clients0. Clients that do not support this level of encryption will not be able to connect. ?ncrypts data that is sent between the client and the server at the ma9imum key strength that is supported by the client. Jse this level when the Terminal Server runs in an environment that contains mi9ed or legacy clients. ?ncrypts data that is sent from the client to the server with 5L%bit encryption. )mportant" Data sent from the server to the client is not encrypted.
Client Compatible
Low level
.)2
rror $eportin(
Table < 12 /ecommended !rror /eportin" Settin"s Settin" Turn off !indows ?rror Keporting 2e"acy Client ?nabled !nterprise Client ?nabled Speciali1ed Security 7 2imited 0unctionality ?nabled
This service helps Microsoft track and address errors. Bou can configure this service to generate reports for operating system errors1 !indows component errors1 or program errors. 3t is only available in !indows 2- -rofessional and !indows Server *++,. The !rror /eportin" service can report such errors to Microsoft through the 3nternet or to an internal file share. Although error reports can potentially contain sensitive or even confidential data1 the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. However1 the data is transmitted in plainte9t HTT-1 which could be intercepted on the 3nternet and viewed by third parties. The Turn off Windows !rror /eportin" setting controls whether the !rror /eportin" service transmits any data. Bou can configure this policy setting in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\&dministrative Templates\System\)nternet Communications Mana"ement\)nternet Communications settin"s Configure the Turn off Windows !rror /eportin" setting to !nabled in the DCC- for all three environments that are defined in this guide.
.))
controller1 make sure that you do not apply any setting to it with SC! or modify its configuration. .. 3nstall the Security Configuration !i'ard component on the computer through Control -anel1 Add#Kemove -rograms1 Add#Kemove !indows Components. *. Launch the SC! HJ31 select Create new policy1 and point it to the reference computer. ,. ?nsure that the detected server roles are appropriate for your environment. Do not remove the :ile server role1 because it is re=uired for the proper operation of domain controllers. E. ?nsure that the detected client features are appropriate for your environment. 5. ?nsure that the detected administrative options are appropriate for your environment.
3ote$ 6f "our environment contains domain controllers in multiple sites# ensure that Mai$7 &ased 0ctive "irectory rep$ication is selected.
L. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. N. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. >. ?nsure that the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall.
3ote$ 2nsure that #orts *or Syste +#C 0pp$ications is selected.
6. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .+. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. ... 3nclude the appropriate security template /for e9ample1 ?C%Domain Controller.inf0. .*. Save the policy with an appropriate name /for e9ample1 Domain Controller.9mlA.
.)(
should begin to verify the core functionality of the computer. :or e9ample1 if the server is configured as a certification authority /CA01 ensure that clients can re=uest and obtain certificates1 download a certificate revocation list1 and so on. !hen you are confident in your policy configurations1 you can use Scwcmd as shown in the following procedure to convert the policies to H-$s. :or more details about how to test SC! policies1 see the Deployment Huide for the Security Configuration !i'ard at http"##technet*.microsoft.com#!indowsServer#en#Library#5*5Ef>cd%.E,e%E556%a*66% 6cN*,b,LL6EL.+,,.msp9 and the Security Configuration !i'ard Documentation at http"##go.microsoft.com#fwlink#?linkid4E,E5+.
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the Domain Controllers $J1 and make sure to move it above the Default Domain Controllers -olicy so that it receives the highest priority. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Kemember that the newly created H-$ can take some time to replicate to all domain controllers1 especially in environments with domain controllers in multiple sites. After you verify that the H-$ has replicated successfully1 you should perform a final test to ensure that the H-$ applies the desired policy settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained how to harden domain controller servers that run !indows Server *++, with S-. in each of the three environments that are defined in this guide. Most of the policy settings that were discussed were configured and applied through Hroup -olicy. The Domain Controller Caseline -olicy /DCC-0 that complements the Default Domain Controller -olicy was linked to the Domain Controllers $J. The DCC- settings will enhance overall security for domain controllers in any environment. The use of two H-$s to secure domain controllers allows the default environment to be preserved and simplifies troubleshooting. Several of the settings that were discussed cannot be applied through Hroup -olicy. :or these settings1 manual configuration details were provided.
.)'
After the domain controllers are configured for security1 other server roles can be made more secure. The following chapters of this guide focus on how to secure several other specific server roles.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening domain controllers that run !indows Server *++, with S-.. :or information about the Microsoft Systems Architecture" ?nterprise Data Center prescriptive architecture guides1 see the MSA ?DC -rescriptive Architecture Huide page at www.microsoft.com#resources#documentation#msa#edc#all#solution# en%us#pak#pag#default.msp9. :or information about how to enable anonymous access to Active Directory1 see the Microsoft Fnowledge Case article GDescription of Dcpromo -ermissions ChoicesG at http"##support.microsoft.com#?kbid4*5N6>>. :or information about !indows *+++ D8S1 see the G!indows *+++ D8S !hite -aperG at www.microsoft.com#technet#prodtechnol#windows*+++serv#plan# w*kdns*.msp9. :or more information about !indows *+++ D8S1 see Chapter L of the online version of GTC-#3- Core 8etworking HuideG in the !indows *+++ Server Kesource Fit at www.microsoft.com#resources#documentation#!indows#*+++#server#reskit#en% us#Default.asp?url4#resources#documentation#!indows#*+++#server#reskit#en% us#w*rkbook#Core8etwork.asp. :or more information about the changes to D8S in !indows Server *++,1 see the SChanges to D8S in !indows Server *++, Microsoft -ower-oint presentationT at http"##download.microsoft.com#download#e#.#a#e.aba.5N%E6>,%E>+e%aae5% ,ENbEa,>ea5*#ChangestoD8S.ppt. :or more information about restricting Active Directory1 see the Microsoft Fnowledge Case article GKestricting Active Directory replication traffic to a specific portG at http"##support.microsoft.com#?kbid4**E.6L. :or more information about restricting :KS replication traffic1 see the Microsoft Fnowledge Case article GHow to restrict :KS replication traffic to a specific static portG at http"##support.microsoft.com#?kbid4,.655,. :or more information about the !indows Time Service1 see the !indows Time Service Technical Keference at http"##technet*.microsoft.com#!indowsServer#en#Library#a+fcd*5+%e5fN%E.b,%b+e>% *E+f>*,Le*.+.+,,.msp9. :or more information about 3- spoofing1 see the -D: version of the article S3ntroduction to 3- SpoofingT at www.giac.org#practical#gsec#<ictorP<elascoPHS?C.pdf.
:or information about policy settings in the MSC-1 see Chapter E1 SThe Member Server Caseline -olicy.T :or information on all default policy settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-* which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
.):
Security Options
The security options settings for infrastructure servers in the three environments that are defined in this guide are configured through the MSC-. :or more information about the MSC-1 see Chapter E1 GThe Member Server Caseline -olicy.G The MSC- settings configure relevant security options settings uniformly on all infrastructure servers.
.);
an 3- address and a computer name when you need to determine how a particular 3address was used on a network. Cy default1 the Server +perators and &ut'enticated (sers groups have read permissions to the DHC- log files. To best preserve the integrity of the information logged by a DHC- server1 it is recommended that access to these logs be limited to server administrators. The Server +perators and &ut'enticated (sers groups should be removed from the Access Control List /ACL0 of the $systemroot$\system32\d'cp\ folder. 3n theory1 the DHC- audit logs could fill the disk on which they are stored. However1 the default configuration for the -?C% &udit 2o""in" setting ensures that logging will stop if there is less than *+ MC of free disk space available on the server. This default configuration is ade=uate for servers in most environments1 but you can modify it to ensure sufficient free disk space is available for other applications on a server. :or information about how to modify this configuration1 refer to the DhcpLogMinSpace$nDisk page in the !indows Server *++, Tech Center at http"##technet*.microsoft.com#!indowsServer#en#Library#fN>+*dce%,ff6%E+La%b,eL% c+cLb,edE6E..+,,.msp9.
.)-
Cy default1 the Huest account is disabled on member servers and domain controllers. This configuration should not be changed. Many variations of malicious code use the built%in Administrator account in an initial attempt to compromise a server. Therefore1 you should rename the built%in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well%known account. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier /S3D0 of the built%in Administrator account to determine its true name and then break into the server. A S3D is the value that uni=uely identifies each user1 group1 computer account1 and logon session on a network. 3t is not possible to change the S3D of this built%in account. However1 your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a uni=ue name. To secure well*=nown accounts on infrastructure servers Kename the Administrator and Huest accounts1 and change their passwords to long and comple9 values on every domain and server. Jse different names and passwords on each server. 3f the same account names and passwords are used on all domains and servers1 an attacker who gains access to one member server will be able to gain access to all other servers with the same account name and password. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Kecord any changes that you make in a secure location.
3ote$ The built-in Administrator account can be renamed throu&h 5roup 8olic". This polic" settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename administrator accounts in all three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.(0
similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. The new installation is called a reference com)uter. During the server policy creation steps you will probably remove the :ile server role from the list of detected roles. This role is commonly configured on servers that do not re=uire it and could be considered a security risk. To enable the :ile server role for servers that re=uire it1 you can apply a second policy later in this process. To create t'e infrastructure server policy .. Create a new installation of !indows Server *++, with S-. on a new reference computer. *. 3nstall the Security Configuration !i'ard component on the computer through Control -anel1 Add#Kemove -rograms1 Add#Kemove !indows Components. ,. Roin the computer to the domain1 which will apply all security settings from parent $Js. E. 3nstall and configure only the mandatory applications that will be on every server that shares this role. ?9amples include role%specific services1 software and management agents1 tape backup agents1 and antivirus or antispyware utilities. 5. Launch the SC! HJ31 select Create new policy1 and point it to the reference computer. L. ?nsure that the detected server roles are appropriate for your environmentIfor e9ample1 the DHC- server and !38S server roles. N. ?nsure that the detected client features are appropriate for your environment. >. ?nsure that the detected administrative options are appropriate for your environment. 6. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. .+. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ... ?nsure the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. .*. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3nclude the appropriate security template /for e9ample1 ?C%3nfrastructure Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 3nfrastructure Server.9ml0.
.(.
Two options are available to test the policy. Bou can use the native SC! deployment facilities1 or deploy the policies through a H-$. !hen you start to author your policies1 you should consider using the native SC! deployment facilities. Bou can use SC! to push a policy to a single server at a time1 or use Scwcmd to push the policy to a group of servers. The native deployment method allows you to easily roll back deployed policies from within SC!. This capability can be very useful when you make multiple changes to your policies during the test process. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. After you apply the configuration changes1 you should begin to verify the core functionality of the computer. :or e9ample1 if the server is configured as a certification authority /CA01 ensure that clients can re=uest and obtain certificates1 download a certificate revocation list1 and so on. !hen you are confident in your policy configurations1 you can use Scwcmd as shown in the following procedure to convert the policies to H-$s. :or more details about how to test SC! policies1 see the Deployment Huide for the Security Configuration !i'ard at http"##technet*.microsoft.com#!indowsServer#en#Library#5*5Ef>cd%.E,e%E556%a*66% 6cN*,b,LL6EL.+,,.msp9 and the Security Configuration !i'ard Documentation at http"##go.microsoft.com#fwlink#?linkid4E,E5+.
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired policy settings. To complete this procedure1 confirm that the appropriate policy settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the policy settings that can be used for DHC- and !38S servers that run !indows Server *++, with S-. in the three environments that are defined in this guide. Most of the settings for these roles are applied through the MSC-. The primary goal of creating an 3nfrastructure -olicy ob7ect for the DHC- and !38S servers is to
.(2
enable the necessary services for these roles to fully function and keep them well secured. Although the MSC- provides a great level of security1 this chapter also discussed other considerations for the infrastructure server roles. -rimarily1 these considerations included the generation of log files.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening infrastructure servers that run !indows Server *++, with S-.. :or information about how DHC- logging has changed in !indows Server *++,1 see the Microsoft Fnowledge Case article SChanges in !indows Server *++, DHCLoggingT at http"##support.microsoft.com#?kbid4,*>>6.. :or more information about DHC-1 see the Dynamic Host Configuration -rotocol page at www.microsoft.com#resources#documentation#!indows#*+++#server#reskit# en%us#cnet#cncbPdhcPklom.asp. :or more information about !38S1 see the S!indows *+++ Server !indows 3nternet 8aming Service /!38S0 $verviewT at www.microsoft.com#technet#archive#windows*+++serv#evaluate#featfunc#nt5wins.msp 9. :or information about installing !38S in !indows Server *++,1 see the S3nstall and Manage !38S ServersT page at www.microsoft.com#technet#prodtechnol#windowsserver*++,#library# ServerHelp#a*6d+a56%>bdd%Ea>*%a6>+%b5,bdN*fcb+e.msp9.
:or information about policy settings in the MSC-1 see Chapter E1 SThe Member Server Caseline -olicy.T :or information on all default policy settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-* which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
.((
Security Options
The security options settings for file servers in the three environments that are defined in this guide are configured through the MSC-. :or more information about the MSC-1 see Chapter E1 GThe Member Server Caseline -olicy.G The MSC- settings uniformly configure all relevant security option settings on all file servers.
.('
Jse different names and passwords on each server. 3f the same account names and passwords are used on all domains and servers1 an attacker who gains access to one member server will be able to gain access to all others. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Kecord any changes that you make in a secure location.
3ote$ Jou can rename the built-in Administrator account throu&h 5roup 8olic". This settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename administrator accounts in all three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.(6
N. ?nsure that the detected client features are appropriate for your environment. >. ?nsure that the detected administrative options are appropriate for your environment. 6. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. .+. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ... ?nsure the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. .*. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3nclude the appropriate security template /for e9ample1 ?C%:ile Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 :ile Server.9mlA.
.(:
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the policy settings that can be used to configure file servers that run !indows Server *++, with S-. in the three environments that are defined in this guide. Most of the policy settings are applied through a Hroup -olicy ob7ect /H-$0 that was designed to complement the MSC-. H-$s can be linked to the appropriate organi'ational units /$Js0 that contain the file servers to provide additional security. Some policy settings cannot be applied through Hroup -olicy. :or these policy settings1 manual configuration details were provided.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening file servers that run !indows Server *++, with S-.. :or more information about file servers1 see GTechnical $verview of !indows Server *++, :ile ServicesG at www.microsoft.com#windowsserver*++,#techinfo#overview#file.msp9. :or more information about D:S and :KS1 see the Distributed :ile System Technology Center at www.microsoft.com#windowsserver*++,#technologies#storage#dfs#default.msp9.
:or information about settings in the MSC-1 see Chapter E1 SThe Member Server Caseline -olicy.T :or information on all default settings1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-* which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56.
3ote: 8rint servers that are secured with the ++!,-8rint +erver.inf securit" template can onl" be accessed reliabl" b" client computers that are secured with compatible settin&s. +ee the Windows XP Security Guide for information about how to secure client computers with ++!,-compatible settin&s.
.(-
Security Options
Most security option settings for print servers in the three environments that are defined in this guide are configured through the MSC-. :or more information about MSC-1 see Chapter E1 GThe Member Server Caseline -olicy.G Differences between the MSC- and the -rint Server Hroup -olicy are described in the following section.
This policy setting determines whether packet signing is re=uired by the SMC server component. The SMC protocol provides the basis for Microsoft file and print sharing and many other network operations1 such as remote !indows administration. To prevent man%in%the%middle attacks that modify SMC packets in transit1 the SMC protocol supports SMC packet digital signing. This policy setting determines whether SMC packet signing must be negotiated before further communication with an SMC client is permitted. Although the Microsoft networ= server> -i"itally si"n communications @alwaysA setting is disabled by default1 the MSC- enables this setting for servers in the SSL: environment1 which allows users to print but not view the print =ueue. Jsers who attempt to view the print =ueue will see an access denied message. The Microsoft networ= server> -i"itally si"n communications @alwaysA setting is configured to -isabled for print servers in all three environments that are defined in this guide.
.'0
3ote$ Jou can rename the built-in Administrator account throu&h 5roup 8olic". This settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# the 0ccounts: +ena e ad inistrator account settin& can be confi&ured to rename administrator accounts in all three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.'.
be easily obtained by dumping LSA secrets. :or more information about how to secure service accounts1 see The Services and Service Accounts Security -lanning Huide at http"##go.microsoft.com#fwlink#?Link3d4E.,...
.'2
.E. 3nclude the appropriate security template /for e9ample1 ?C%-rint Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 -rint Server.9mlA.
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall.
.')
Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the policy settings that can be used for print servers that run !indows Server *++, with S-. for the three environments that are defined in this guide. Most of the policy settings are applied through a Hroup -olicy ob7ect /H-$0 that was designed to complement the MSC-. H-$s can be linked to the appropriate organi'ational units /$Js0 that contain the print servers to provide additional security. Some policy settings that were discussed cannot be applied through Hroup -olicy. :or these policy settings1 manual configuration details were provided.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening print servers that run !indows Server *++, with S-.. :or an overview of print servers1 see the GTechnical $verview of !indows Server *++, -rint Services1G which is available for download at www.microsoft.com#windowsserver*++,#techinfo#overview#print.msp9. :or more information about print servers1 see G!hat s 8ew in :ile and -rint ServicesG at www.microsoft.com#windowsserver*++,#evaluation#overview#technologies# fileandprint.msp9.
.''
:or information about all default setting configurations1 see the companion guide1 Threats and Countermeasures" Security Settings in !indows Server *++, and !indows 2-1 which is available at http"##go.microsoft.com#fwlink#?Link3d4.5.56. This guide illustrates how to secure 33S with minimal features installed and enabled. 3f you plan to use additional features in 33S you may need to need to ad7ust some of the security settings. 3f you install additional services such as SMT-1 :T-1 or 88T-1 you will need to ad7ust the provided templates and policies. The online article G33S and Cuilt%in Accounts /33S L.+0G at www.microsoft.com#technet#prodtechnol#!indowsServer*++,#Library#33S# ,LE>,ELf%eEf5%ENEb%>LcN%5a>Le>5fa.ff.msp9 e9plains the accounts that different features of 33S use and the privileges that are re=uired by each. To implement more secure settings on !eb servers that host comple9 applications1 you may find it useful to review the complete 33S L.+ Documentation at www.microsoft.com#technet#prodtechnol#!indowsServer*++,# Library#33S#>E>6L>f,%baa+%ELf6%b.eL%ef>.dd+6b+.5.msp9.
The 33S features that you need to enable will determine whether you will need to also reconfigure other user rights assignment settings to .ot defined.
.'6
Security Options
The security option settings for 33S servers in the three environments that are defined in this guide are configured through the MSC-. :or more information about the MSC-1 see Chapter E1 GThe Member Server Caseline -olicy.G The MSC- settings ensure that all the relevant security options are uniformly configured on all 33S servers.
.':
,. 3n the Components list1 click &pplication Server1 and then -etails. E. 3n the &pplication Server dialog bo91 under Subcomponents of &pplication Server1 click )nternet )nformation Services @))SA1 and then -etails. 5. 3n the )nternet )nformation Services @))SA dialog bo91 in the Subcomponents of )nternet )nformation Services @))SA list1 do either of the following" To add optional components1 select the check bo9 ne9t to the component that you want to install. To remove optional components1 clear the check bo9 ne9t to the component that you want to remove.
L. Click +K until you return to the !indows Component !i'ard. N. Click .e3t1 and then 0inis'. Bou should only enable essential 33S components and services that are re=uired by !eb sites and applications. 3f you enable unnecessary components and services1 the attack surface of an 33S server increases. The following illustrations and tables show the location and suggested settings for 33S components. The subcomponents in the &pplication Server dialog bo9 are shown in the following figure"
0i"ure : 1 &pplication Server dialo" bo3 wit' list of subcomponents The following table briefly describes the Application Server subcomponents and provides recommendations for when to enable them. Table : 2 /ecommended &pplication Server Subcomponents Settin"s Component name in () Settin" Settin" lo"ic
.';
-rovides a Microsoft Management Console /MMC0 snap%in that you can use to administer all the !eb Application Server components. This component is not re=uired on a dedicated 33S server because 33S Server Manager can be used. -rovides support for AS-.8?T applications. ?nable this component when an 33S server runs AS-.8?T applications. Allows an 33S server to host C$MW components for distributed applications. Ke=uired for :T-1 C3TS server e9tension1 !orld !ide !eb Service1 and 33S Manager among others. Allows an 33S server to host applications that participate in network transactions through Distributed Transaction Coordinator /DTC0. Disable this component unless the applications that run on the 33S server re=uire it. -rovides basic !eb and :T- services. This component is re=uired for dedicated 33S servers. .ote" 3f this component is not enabled1 then all subcomponents are disabled.
AS-.8?T
Disabled
?nabled
Disabled
?nabled
Message Xueuing
Disabled
Microsoft Message Xueuing /MSMX0 -rovides a message routing1 storage1 and forwarding middleware layer for enterprise !eb applications.
.'-
The subcomponents in the )nternet )nformation Services @))SA dialog bo9 are shown in the following figure"
0i"ure : 2 ))S dialo" bo3 wit' list of subcomponents The following table briefly describes the 33S subcomponents and provides recommendations for when to enable them. Table : 3 /ecommended ))S Subcomponents Settin"s Component name in () Cackground 3ntelligent Transfer Service /C3TS0 server e9tension Settin" Disabled Settin" lo"ic The C3TS server e9tension allows C3TS on the clients to upload files to this server in the background. 3f you have an application on the clients that uses C3TS to upload files to this server1 then enable and configure the C3TS server e9tensionV otherwise1 leave it disabled. 8ote that !indows Jpdate1 Microsoft Jpdate1 SJS1 !SJS1 and Automatic Jpdates do not re=uire this component to run. They re=uire the C3TS client component1 which is not part of 33S. 33S re=uires these files and they must always be enabled on 33S servers. Allows 33S servers to provide :T- services. This service is not re=uired for dedicated 33S servers. -rovides :ront-age support to administer and publish !eb sites. Disable on dedicated 33S servers when no !eb sites use :ront-age e9tensions.
Common :iles :ile Transfer -rotocol /:T-0 Service :ront-age *++* Server ?9tensions
?nabled Disabled
Disabled
.60
Settin" lo"ic Administrative interface for 33S. -rovides !eb%based printer management and allows printers to be shared over HTT-. This component is not re=uired on dedicated 33S servers. Distributes1 =ueries1 retrieves1 and posts Jsenet news articles on the 3nternet. This component is not re=uired on dedicated 33S servers. Supports the transfer of electronic mail. This component is not re=uired on dedicated 33S servers. -rovides !eb services1 static1 and dynamic content to clients. This component is re=uired on dedicated 33S servers.
88T- Service
Disabled
SMT- Service
Disabled
?nabled
The subcomponents in the Messa"e Nueuin" dialog bo9 are shown in the following figure"
.6.
The following table briefly describes the Message Xueuing subcomponents and provides recommendations for when to enable them. Table : B /ecommended Messa"e Nueuin" Subcomponents Settin"s Component name in () Active Directory 3ntegration )nstallation Settin" lo"ic option Disabled -rovides integration with the Active Directory( directory service whenever an 33S server belongs to a domain. This component is re=uired when !eb sites and applications that run on 33S servers use Microsoft Message Xueuing /MSMX0. This component is re=uired when !eb sites and applications that run on 33S servers use MSMX. -rovides access to Active Directory and site recognition for downstream clients. This component is re=uired when an 33S server s !eb sites and applications use MSMX. -rovides the ability to send and receive messages over the HTT- transport. This component is re=uired when an 33S server s !eb sites and applications use MSMX. -rovides store%and%forward messaging as well as efficient routing services for MSMX. This component is re=uired when !eb sites and applications that run on 33S servers use MSMX. Associates the arrival of incoming messages at a =ueue with functionality in a C$M component or a stand%alone e9ecutable program.
Common
Disabled
Disabled
Disabled
Kouting support
Disabled
Triggers
Disabled
.62
The subcomponents in the #ac="round )ntelli"ent Transfer Service @#)TSA Server !3tensions dialog bo9 are shown in the following figure"
0i"ure : B #)TS Server !3tensions wit' list of subcomponents The following table briefly describes the C3TS Server ?9tensions subcomponents and provides recommendations for when to enable them. Table : < /ecommended #)TS Server !3tensions Subcomponents Settin"s Component name in () C3TS management console snap%in )nstallation Settin" lo"ic option Disabled 3nstalls an MMC snap%in to administer C3TS. ?nable this component when the C3TS server e9tension for 3nternet Server Application -rogramming 3nterface /3SA-30 is enabled. 3nstalls the C3TS 3SA-3 so that an 33S server can transfer data using C3TS. C3TS Server ?9tensions allow C3TS on the clients to upload files to this server in the background. 3f you have an application on the clients that uses C3TS to upload files to this server1 then enable and configure the C3TS server e9tensionV otherwise leave it disabled. 8ote that !indows Jpdate1 Microsoft Jpdate1 SJS1 !SJS1 and Automatic Jpdates do not re=uire this component to run. They re=uire the C3TS client component1 which is not part of 33S.
Disabled
.6)
The subcomponents in the World Wide Web Service dialog bo9 are shown in the following figure"
0i"ure : < World Wide Web Service dialo" bo3 wit' list of subcomponents The following table briefly describes the !orld !ide !eb Service subcomponents and provides recommendations for when to enable them. Table : D /ecommended World Wide Web Service Subcomponent Settin"s Component name in () Active Server -ages )nstallation Settin" lo"ic option Disabled -rovides support for AS-. Disable this component when no !eb sites or applications on 33S servers use AS-1 or disable it by using the !eb service e9tensions. :or more information1 see the following S?nabling $nly ?ssential !eb Service ?9tensionsT section in this chapter. -rovides support for dynamic content that is provided through files with .idc e9tensions. Disable this component when no !eb sites or applications that run on 33S servers include files with .idc e9tensions1 or disable it by using the !eb service e9tensions. :or more information1 see the following S?nabling $nly ?ssential !eb Service ?9tensionsT section in this chapter.
Disabled
.6(
)nstallation Settin" lo"ic option Disabled -rovides an HTML interface to administer 33S. Jse 33S Manager instead to provide easier administration and to reduce the attack surface of an 33S server. This feature is not re=uired on dedicated 33S servers. 3ncludes Microsoft Active2( control and sample pages to host Terminal Services client connections. Jse 33S Manager instead to provide easier administration and to reduce the attack surface of an 33S server. 8ot re=uired on a dedicated 33S server. -rovides support for .shtm1 .shtml1 and .stm files. Disable this component when no !eb sites or applications that run on 33S server use include files with these e9tensions. !ebDA< e9tends the HTT-#... protocol to allow clients to publish1 lock1 and manage resources on the !eb. Disable this component on dedicated 33S servers or disable it by using the !eb service e9tensions. :or more information1 see the following S?nabling $nly ?ssential !eb Service ?9tensionsT section in this chapter. -rovides !eb services1 static1 and dynamic content to clients. This component is re=uired on dedicated 33S servers.
Disabled
Disabled
!ebDA<
Disabled
?nabled
.6'
The following table lists predefined !eb service e9tensions1 and provides details on when to enable each e9tension. Table : E !nablin" Web Service !3tensions Web service e3tension Active Server -ages AS-.8?T v....E,** All Jnknown CH3 ?9tensions All Jnknown 3SA-3 ?9tensions !nable e3tension w'en $ne or more !eb sites and applications that run on 33S servers contain AS- content. $ne or more !eb sites and applications that run on 33S servers contain AS-.8?T content. $ne or more !eb sites and applications that run on 33S servers contain unknown CH3 e9tension content. $ne or more !eb sites and applications that run on 33S servers contain unknown 3SA-3 e9tension content. $ne or more !eb sites that run on 33S servers use :ront-age ?9tensions. $ne or more !eb sites and applications that run on 33S servers use 3DC to display database information /this content includes .idc and .id9 files0. $ne or more !eb sites that run on 33S servers use SS3 directives to instruct 33S servers to insert reusable content /for e9ample1 a navigation bar1 a page header or footer0 into different !eb pages. !ebDA< support is re=uired on 33S servers for clients to transparently publish and manage !eb resources.
.66
3n addition to the security%related benefits1 administration tasks such as backup and restore are easier when !eb site and application files and folders are placed on a dedicated disk volume. Also1 use of a separate1 dedicated physical drive can help reduce disk contention on the system volume and improve overall disk access performance.
.6:
site permissions to provide additional security for !eb sites on 33S servers in the three environments that are defined in this guide. !eb site permissions can be used in con7unction with 8T:S permissions1 and can be configured for specific sites1 directories1 and files. Jnlike 8T:S permissions1 !eb site permissions affect everyone who tries to access a !eb site that runs on an 33S server. !eb site permissions can be applied with the MMC 33S Manager snap%in. The following table lists the !eb site permissions that are supported by 33S L.+1 and provides brief e9planations of when to assign any given permission to a !eb site. Table : : ))S D 0 Web Site %ermissions Web site permission %ermission "ranted Kead !rite Script Source Access Jsers can view the content and properties of directories or files. This permission is selected by default. Jsers can change content and properties of directories or files. Jsers can access source files. 3f Kead is enabled1 then the source can be readV if !rite is enabled1 then the script source code can be changed. Script Source Access includes the source code for scripts. 3f neither Kead nor !rite is enabled1 this option is not available. )mportant" !hen Script Source Access is enabled1 users may be able to view sensitive information1 such as a user name and password. They may also be able to change source code that runs on an 33S server and seriously affect the server s security and performance. Directory browsing Log visits 3nde9 this resource ?9ecute Jsers can view file lists and collections. A log entry is created for each visit to the !eb site. Allows the )nde3in" Service to inde9 resources1 which allows searches to be performed on resources. The following options determine the level of script e9ecution for users" .one. Does not allow scripts e9ecutables to run on the server. Scripts only. Allows only scripts to run on the server. Scripts and !3ecutables. Allows both scripts and e9ecutables to run on the server.
.6;
The MMC 33S Manager snap%in can be used to configure the log file format1 the log schedule1 and the e9act information to be logged. To limit the si'e of the logs1 you should use a careful planning process to determine which fields to log. !hen 33S logging is enabled1 33S uses the !,C ?9tended Log :ile :ormat to create daily activity logs in the directory that is specified for the !eb site in 33S Manager. To improve server performance1 you should store logs on a non%system striped or striped#mirrored disk volume. Logs can also be written to a remote share over a network by using a full1 Jniversal 8aming Convention /J8C0 path. Kemote logging allows administrators to set up centrali'ed log file storage and backup. However1 server performance could be negatively affected when log files are written over the network. 33S logging can be configured to use several other ASC33 or $pen Database Connectivity /$DCC0 log file formats. $DCC logs can store activity information in a SXL database. However1 note that when $DCC logging is enabled1 33S disables the kernel%mode cache1 which can degrade overall server performance. 33S servers that host hundreds of sites can enable centrali'ed binary logging to improve logging performance. Centrali'ed binary logging enables all !eb sites on an 33S server to write activity information to a single log file. This method can greatly increase the manageability and scalability of the 33S logging process because it reduces the number of logs that need to be individually stored and analy'ed. :or more information about centrali'ed binary logging1 see the 33S Centrali'ed Cinary Logging /33SL.+0 page at www.microsoft.com#technet#prodtechnol# !indowsServer*++,#Library#33S#.,aEc+b5%L>Lb%ENLL%>N*6%a,E+*da>,5f..msp9. !hen 33S logs are stored on 33S servers1 only server administrators have permission to access them by default. 3f a log file directory or file owner is not in the 2ocal &dministrators group1 the HTT-.sys file /the kernel%mode driver in 33S L.+0 publishes an error to the 8T event log. This error indicates that the owner of the directory or file is not in the 2ocal &dministrators group1 and that logging has been suspended for that site until the owner is added to the 2ocal &dministrators group1 or the e9isting directory or log file is deleted.
.6-
Table : 10 Manually &dded (ser /i"'ts &ssi"nments Member server default Deny access to this computer from the network 2e"acy Client !nterprise Client Speciali1ed Security 7 2imited 0unctionality
Cuilt%in Cuilt%in Cuilt%in AdministratorV AdministratorV AdministratorV SupportP,>>6E5a+V SupportP,>>6E5a+V SupportP,>>6E5a+V HuestV all 8$8% HuestV all 8$8% HuestV all 8$8% $perating System $perating System $perating System service accounts service accounts service accounts
I portant: KAll non-operatin& s"stem service accountsL includes service accounts that are used for specific applications across an enterprise# but does 1T include !1CA! +J+T2M# !1CA! +24C6C2 or the 2T314< +24C6C2 accounts @the built-in accounts that the operatin& s"stem usesA.
3ote$ Jou can rename the built-in administrator account throu&h 5roup 8olic". This settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename administrator accounts in the three environments that are defined in this &uide. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.:0
.:.
.*. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3nclude the appropriate security template /for e9ample1 ?C%33S Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 33S Server.9ml0.
3ote$ The M+98 disables several other 66+-related services# includin& ,T8# +MT8# and T8. The 3eb +erver polic" must be modified if an" of these services are to be enabled on 66+ servers in an" of the three environments that are defined in this &uide.
.:2
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the policy settings that can be used to harden 33S servers that run !indows Server *++, with S-. in the three environments that are defined in this guide. Most of the settings are applied through a Hroup -olicy ob7ect /H-$0 that was designed to complement the MSC-. H-$s can be linked to the appropriate organi'ational units /$Js0 that contain the 33S servers to provide additional security. Some of the settings that were discussed cannot be applied through Hroup -olicy. :or these settings1 manual configuration details were provided.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening 33S@based !eb servers that run !indows Server *++, with S-.. :or information about how to enable logging in 33S1 see the Microsoft Fnowledge Case article GHow to enable logging in 3nternet 3nformation Services /33S0G at http"##support.microsoft.com#?kbid4,.,E,N. Additional information about logging is available on the ?nable Logging /33S L.+0 page at www.microsoft.com#technet#prodtechnol#!indowsServer*++,#Library#33S# d*6*+Ne>%5*NE%EfEb%6a++%6E,,bN,*5*dL.msp9. :or information about how to log site activity1 see the Logging Site Activity /33S L.+0 page at www.microsoft.com#technet#prodtechnol#!indowsServer*++,#Library# 33S#abNeE+N+%e.>5%E..+%b*b.%.bcacEb.L>e+.msp9. :or information about e9tended logging1 see the Customi'ing !,C ?9tended Logging /33S L.+0 page at www.microsoft.com#technet#prodtechnol#!indowsServer*++,#Library# 33S#6Laf*.Lb%e*c+%E*>e%6>>+%65cbd>5d6+a..msp9. :or information about centrali'ed binary logging1 see the Centrali'ed Cinary Logging in 33S L.+ /33S L.+0 page on Microsoft.com at www.microsoft.com#technet#prodtechnol# !indowsServer*++,#Library#33S#b6cdc+NL%E+,d%EL,e%6a,L%5a.E>..d,EcN.msp9. :or information about remote logging1 see the Kemote Logging /33S L.+0 page at www.microsoft.com#technet#prodtechnol#!indowsServer*++,#Library#33S# aL,ENae,%,6d.%EE,E%6Nc6%5N5Le5>L*cL..msp9. :or additional information about 33S L.+1 see the 3nternet 3nformation Services page at www.microsoft.com#!indowsServer*++,#iis#default.msp9.
3udit +o#icy
Audit policy settings for 3AS servers in the ?C environment are configured through the MSC-. :or more information about the MSC-1 see Chapter E1 SThe Member Server
.:(
Caseline -olicy.G The MSC- settings ensure that all the relevant security audit information is logged on all 3AS servers in an organi'ation.
Security Options
The security options settings for 3AS servers in the ?C environment are also configured through the MSC-. :or more information about the MSC-1 see Chapter E1 SThe Member Server Caseline -olicy.G The MSC- settings ensure that appropriate access to 3AS servers is uniformly configured across an enterprise.
vent 9o(
The event log settings for 3AS servers in the ?C environment are also configured through the MSC-. :or more information about the MSC-1 see Chapter E1 SThe Member Server Caseline -olicy.G
.:'
To secure well*=nown accounts on )&S servers Kename the Administrator and Huest accounts1 and change their passwords to long and comple9 values on every domain and server. Jse different names and passwords on each server. 3f the same account names and passwords are used on all domains and servers1 an attacker who gains access to one member server will be able to gain access to all others. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Kecord any changes that you make in a secure location.
3ote$ The built-in Administrator account can be renamed throu&h 5roup 8olic". This polic" settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" environment should choose a uni=ue name for this account. *owever# the 0ccounts: +ena e ad inistrator account settin& can be confi&ured to rename administrator accounts in the 2C environment. This polic" settin& is a part of the +ecurit" 1ptions settin&s section of a 581.
.:6
E. 3nstall and configure only the mandatory applications that will be on every server that shares this role. ?9amples include role%specific services1 software and management agents1 tape backup agents1 and antivirus or antispyware utilities. 5. Launch the SC! HJ31 select Create new policy1 and point it to the reference computer. L. ?nsure that the detected server roles are appropriate for your environment1 for e9ample the )&S server @/&-)(SA role. N. ?nsure that the detected client features are appropriate for your environment. >. ?nsure that the detected administrative options are appropriate for your environment. 6. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. .+. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ... ?nsure the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. .*. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3nclude the appropriate security template /for e9ample1 ?C%3AS Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 3AS Server.9ml0.
.::
:or more information about how to test SC! policies1 see the Deployment Huide for the Security Configuration !i'ard at http"##technet*.microsoft.com#!indowsServer#en#Library#5*5Ef>cd%.E,e%E556%a*66% 6cN*,b,LL6EL.+,,.msp9 and the Security Configuration !i'ard Documentation at http"##go.microsoft.com#fwlink#?linkid4E,E5+.
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click !indows :irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings wee made and that functionality is not affected.
Su""ary
This chapter e9plained the settings that can be used to harden 3AS servers that run !indows Server *++, with S-. in the ?nterprise Client environment that is defined in this guide. These settings may also work in the other environments defined in this guide1 but they have not been tested or validated. The settings were configured and applied through a Hroup -olicy ob7ect /H-$0 that was designed to complement the MSC-. H-$s can be linked to the appropriate organi'ational units /$Js0 that contain the 3AS servers in your organi'ation to provide additional security.
.:;
)ore In&or"ation
The following links provide additional information about topics that relate to hardening 3AS servers that run !indows Server *++, with S-.. :or more information about 3AS1 see the Jnderstanding 3AS page at http"##technet*.microsoft.com#!indowsServer#en#Library#abEeeeb*%b+aa%EbEa%a656% ,6+*b*b,f.af.+,,.msp9. :or more information about 3AS and security1 see the 3nternet Authentication Service page at http"##technet*.microsoft.com#!indowsServer#en#Library#d6>eb6.E%*5>c% Ef+b%ad+E%dcEdb6eEeeL,.+,,.msp9. :or information about 3AS1 firewalls1 and !indows Server *++,1 see the 3AS and firewalls page at www.microsoft.com#technet#prodtechnol#windowsserver*++,#library# ServerHelp#5.>eN+a6%6eNa%E**b%a.,f%f,.6,dEfd*.5.msp9. :or more information about KAD3JS1 see the K:C memo GKAD3JS AccountingG at www.ietf.org#rfc#rfc*>LL.t9t.
Bou might install Microsoft 3nternet 3nformation Services /33S0 on some of the Certificate Services servers in your environment so that these servers can distribute CA certificates and certificate revocation lists /CKLs0. 33S is also used to host the Certificate Services server !eb enrollment pages1 which allow non%Microsoft !indows( clients to enroll certificates. Cefore you act on the information in this chapter1 make sure you understand how to securely install 33S1 which is described in Chapter 61 GThe !eb Server KoleG in this
.;0
guide. 3f you install 33S on your CAs1 the security configuration template that was developed for Chapter 6 must be applied to your Certificate Services servers before you configure the prescribed settings that are described in this chapter.
3ote$ 6n simplified environments# the issuin& CA server can be used to host the 3eb server# the CA certificate# and the C4! download points. *owever# "ou should consider usin& a separate 3eb server in "our own environment to improve the securit" of "our CAs.
33S is used to host the certificate server enrollment pages and to distribute CA certificates and CKL download points for non%!indows clients. Microsoft recommends that you not install 33S on the root CA server. 3f possible1 you should not run 33S on your issuing CA and any intermediate CAs in your environment. 3t is more secure to host the !eb download points for CA certificates and CKLs on a different server than the CA server itself. Many certificate users /internal and e9ternal0 who need to retrieve CKLs or CA chain information should not necessarily be permitted access to the CA. However1 you cannot isolate users from the CA if you host the download points on it.
Security Options
The Security $ptions section of Hroup -olicy is used to enable or disable security settings for computers1 such as digital signing of data1 Administrator and Huest account names1 floppy disk drive and CD%K$M drive access1 driver installation behavior1 and logon prompts. Bou can configure the security options settings in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\Windows Settin"s\Security Settin"s\ 2ocal %olicies\Security +ptions The following table includes the recommended security options setting for the Certificate Services server role in the ?nterprise Client environment. Detailed information about the setting is provided in the te9t that follows the table. Table 11 1 /ecommended Security +ptions Settin"s Settin" System cryptography" Jse :3-S compliant algorithms for encryption1 hashing1 and signing !nterprise Client ?nabled
.;.
Syste" crypto(raphy: 7se FI+S co"p#iant a#(orith"s &or encryption8 hashin(8 and si(nin(
This policy setting determines whether the Transport Layer Security#Secure Sockets Layer /TLS#SSL0 Security -rovider supports only the TLSPKSAP!3THP,D?SP?D?PCCCPSHA cipher suite. 3n effect1 support for this cipher suite means that the provider only supports the TLS protocol as a client and a server /if applicable0. The TLS#SSL Security -rovider uses the following algorithms" The Triple Data ?ncryption Standard /,D?S0 encryption algorithm for the TLS traffic encryption. The Kivest1 Shamir1 and Adelman /KSA0 public key algorithm for the TLS key e9change and authentication. /KSA is a public%key encryption technology that was developed by KSA Data Security1 3nc.0 The SHA%. hashing algorithm for the TLS hashing re=uirements.
:or the ?ncrypting :ile System Service /?:S01 the TLS#SSL Security -rovider supports only the Triple D?S encryption algorithm to encrypt file data that is stored in the !indows 8T:S file system. Cy default1 in !indows *+++ and !indows 2- with no service packs1 ?:S uses the D?S2 algorithm to encrypt file data1 however in !indows 2- S-. and later1 and !indows Server *++,1 the default algorithm is Advanced ?ncryption Standard /A?S0 using a *5L%bit key. 3f you enable this policy setting1 computers that fulfill this server role in your environment will use the most powerful algorithms that are available for digital encryption1 hashing1 and signing. Jse of these algorithms minimi'es risk because they limit the ability of an unauthori'ed user to compromise digitally encrypted or signed data. :or these reasons1 the System crypto"rap'y> (se 0)%S compliant al"orit'ms for encryptionC 'as'in"C and si"nin" setting is configured to !nabled for the ?nterprise Client environment.
3ote$ Client computers that have this polic" settin& enabled will be unable to communicate throu&h di&itall" encr"pted or si&ned protocols with servers that do not support these al&orithms. etwork client computers that do not support these al&orithms will not be able to use servers that re=uire the al&orithms for network communications. ,or e0ample# man" ApacheDbased 3eb servers are not confi&ured to support T!+. 6f "ou enable this settin& "ou must also confi&ure 6nternet 20plorer to use T!+. To do so# open the Internet 4ptions dialo& bo0 from the 6nternet 20plorer !oo$s menu# click the 0dvanced tab on the Internet 4ptions dialo& bo0# scroll towards the bottom of the Settings list# and then click the 8se !9S 1.0 checkbo0. 6t is also possible to confi&ure this functionalit" throu&h 5roup 8olic" or with the 6nternet 20plorer Administrators <it.
3dditiona# $e(istry
ntries
Additional registry entries were created for the ?C%CA Server.inf template file. These entries are not defined within the Administrative Template /.adm0 files for the ?nterprise
.;2
Client environment as defined in this guide. The .adm files define the system policies and restrictions for the desktop1 shell1 and security settings for !indows Server *++, with S-.. The additional registry entries are configured within the security template to automate their implementation. 3f the 3ncremental Certificate Services Hroup -olicy for this environment is removed1 its settings are not automatically removed and must be manually changed with a registry editing tool such as Kegedt,*.e9e. Bou can configure the registry entries in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" M&C?).!\SHST!M\CurrentControlSet\Services\CertSvc\Confi"uration
.;)
!nterprise Client Administrators /:ull Control0 SBST?M /:ull Control0 Jsers /Kead and ?9ecute1 List :older Contents1 and Kead0
Cecause of the security%sensitive nature of CAs1 file auditing is enabled on the Certificate Services folders that are listed in the preceding table. The audit entries are configured as shown in the following table" Table 11 3 Certificate Services 0ile and /e"istry &udit Confi"uration 0ile pat' or re"istry pat' &udit type &udit settin" ?veryone /:ull Control0 ?veryone /Modify0 ?veryone /Modify0 ?veryone /Modify0
These policy settings will audit any type of failure access /read or modify0 from any user and also audit any successful modification by any user.
.;(
Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Kecord these changes in a secure location.
3ote$ Jou can rename the built-in Administrator account throu&h 5roup 8olic". This polic" settin& was not implemented in an" of the securit" templates that are provided with this &uide because ever" or&ani>ation should choose a uni=ue name for this account. *owever# "ou can confi&ure the 0ccounts: +ena e ad inistrator account settin& to rename the Administrator account in the 2C environment. This polic" settin& is a part of the +ecurit" 1ptions settin&s of a 581.
.;'
N. ?nsure that the detected client features are appropriate for your environment. >. ?nsure that the detected administrative options are appropriate for your environment. 6. ?nsure that any additional services that are re=uired by your baseline1 such as backup agents or antivirus software1 are detected. .+. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ... ?nsure the S=ip t'is section checkbo9 is unchecked in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. .*. 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .E. 3nclude the appropriate security template /for e9ample1 ?C%CA Server.inf0. .5. Save the policy with an appropriate name /for e9ample1 Certificate Services.9ml0.
.;6
*. Jse the Hroup -olicy Management Console to link the newly created H-$ to the appropriate $J. 8ote that if the SC! security policy file contains !indows :irewall settings1 !indows :irewall must be active on the local computer for this procedure to complete successfully. To verify that !indows :irewall is active1 open Control -anel and then double%click Windows 0irewall. Bou should now perform a final test to ensure that the H-$ applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
This chapter e9plained the policy settings that can be used to harden Certificate Services servers that run !indows Server *++, with S-. in the ?nterprise Client environment as defined in this guide. The settings are configured and applied through a Hroup -olicy ob7ect /H-$0 that complements the MSC-. H-$s can be linked to the appropriate organi'ational units /$Js0 that contain the Certificate Services servers to provide additional security.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening servers that run !indows Server *++, with S-. and Certificate Services. :or a good introduction to public key infrastructure /-F30 concepts and the features of !indows *+++ certificate services1 see GAn 3ntroduction to the !indows *+++ -ublic Fey 3nfrastructureG at www.microsoft.com#technet#archive#windows*+++serv# evaluate#featfunc#pkiintro.msp9. :or more detailed information about -F3 functionality in !indows Server *++, and !indows 2-1 see G-F3 ?nhancements in !indows 2- -rofessional and !indows Server *++,G at www.microsoft.com#technet#prodtechnol#win9ppro#plan#pkienh.msp9. :or more background information about key -F3 concepts1 see the -ublic Fey 3nfrastructure page at http"##technet*.microsoft.com#!indowsServer#en#Library#,*aacfe>%>,af%ELNL%aE5c% N5E>,5E5a6N>.+,,.msp9.
.;;
This policy setting determines which users cannot access a computer over the network. 3t denies a number of network protocols1 including server message block /SMC0%based protocols1 8etC3$S1 Common 3nternet :ile System /C3:S01 HTT-1 and Component $b7ect Model -lus /C$MW0. This policy setting overrides the &ccess t'is computer from t'e networ= setting when a user account is sub7ect to both policies. 3f you configure this user right for other groups1 you could limit the ability of users to perform delegated administrative tasks in your environment. 3n Chapter E1 GThe Member Server Caseline -olicy1G this guide recommends that you include the Guests group in the list of users and groups that are assigned this user right to provide the highest possible level of security possible. However1 the 3JSK account that is used for anonymous access to 33S is a member of the Guests group by default. The -eny access to t'is computer from t'e networ= setting is configured to include A8$8$BM$JS L$H$81 Cuilt%in Administrator1 SupportP,>>6E5a+1 Huest1 and all 8$8%$perating System service accounts for bastion hosts in the SSL: environment that is defined in this guide.
Security Options
The CHL- security options settings for bastion hosts are the same as those specified in the SSL:%Member Server Caseline.inf file in Chapter E1 GThe Member Server Caseline
.;-
-olicy.G These CHL- settings ensure that all relevant security options are uniformly configured on all bastion host servers.
Table 12 3 Manually &dded (ser /i"'ts &ssi"nments Settin" Deny access to this computer from the network 2e"acy Client !nterprise Client Speciali1ed Security 7 2imited 0unctionality
Cuilt%in Cuilt%in Cuilt%in AdministratorV AdministratorV AdministratorV SupportP,>>6E5a+V SupportP,>>6E5a+V SupportP,>>6E5a+V HuestV all 8$8% HuestV all 8$8% HuestV all 8$8% $perating System $perating System $perating System service accounts service accounts service accounts
I portant$ KAll non-operatin& s"stem service accountsK includes service accounts that are used for specific applications across an enterprise# but does 1T include !1CA! +J+T2M# !1CA! +24C6C2 or the 2T314< +24C6C2 accounts @the built-in accounts that the operatin& s"stem usesA.
.-0
rror $eportin(
Table 12 B /ecommended !rror /eportin" Settin"s Settin" Turn off !indows ?rror Keporting 2e"acy Client ?nabled !nterprise Client ?nabled Speciali1ed Security 7 2imited 0unctionality ?nabled
This service helps Microsoft track and address errors. Bou can configure this service to generate reports for operating system errors1 !indows component errors1 or program errors. 3t is only available in !indows 2- -rofessional and !indows Server *++,. The !rror /eportin" service can report such errors to Microsoft through the 3nternet or to an internal file share. Although error reports can potentially contain sensitive or even confidential data1 the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. However1 the data is transmitted in plainte9t HTT-1 which could be intercepted on the 3nternet and viewed by third parties. The Turn off Windows !rror /eportin" setting controls whether the !rror /eportin" service transmits any data.
.-.
Bou can configure this policy setting in !indows Server *++, at the following location within the Hroup -olicy $b7ect ?ditor" Computer Confi"uration\&dministrative Templates\System\)nternet Communications Mana"ement\)nternet Communications settin"s Configure the Turn off Windows !rror /eportin" setting to !nabled in the CHL- for all three environments that are defined in this guide.
.-2
6. Decide how to handle unspecified services in your environment. :or e9tra security1 you may wish to configure this policy setting to -isable. Bou should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. .+. ?nsure the S=ip t'is section checkbo9 is unselected in the G8etwork SecurityG section1 and then click .e3t. The appropriate ports and applications identified earlier are configured as e9ceptions for !indows :irewall. Jncheck all ports e9cept those that are re=uired for the bastion host function. ... 3n the GKegistry SettingsG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .*. 3n the GAudit -olicyG section1 click the S=ip t'is section checkbo9 and then click .e3t. These policy settings are imported from the supplied 38: file. .,. 3nclude the appropriate security template /for e9ample1 SSL:%Castion Host.inf0. .E. Save the policy with an appropriate name /for e9ample1 Castion Host.9ml0.
.-)
Bou should now perform a final test to ensure that SC! applies the desired settings. To complete this procedure1 confirm that the appropriate settings were made and that functionality is not affected.
Su""ary
Cecause bastion host servers that run !indows Server *++, with S-. are not protected by other devices such as firewalls1 they are e9posed to outside attacks. They must be secured as much as possible to ma9imi'e their availability and to minimi'e the possibility of compromise. The most secure bastion host servers limit access only to highly trusted accounts1 and enable only those services that are necessary to fully perform their functions. This chapter e9plained settings and procedures that can be used to harden bastion host servers and make them more secure. Many of the settings can be applied through local Hroup -olicy. Huidance about how to configure and apply manual settings was also provided.
)ore In&or"ation
The following links provide additional information about topics that relate to hardening bastion host servers that run !indows Server *++, with S-.. :or more information about building private networks1 open the .pdf file G:irewalls and <irtual -rivate 8etworksG by ?li'abeth D. Mwicky1 Simon Cooper1 and Crent D. Chapman at www.wiley.com#legacy#compbooks#press#+EN.,E>*+.P+6.pdf. :or more information about firewalls and security1 see G3nternet :irewalls and Security @ A Technology $verviewG by Chuck Semeria at www.itmweb.com#essay5,E.htm. :or information about the defense%in%depth model1 see the J.S. Military About defense in depth page at http"##usmilitary.about.com#od#glossarytermsd#g#did.htm. :or information about safeguards against intruders1 see the G3ntruder Detection ChecklistG by Ray Ceale at www.cert.org#techPtips#intruderPdetectionPchecklist.html. :or more information about how to harden bastion hosts1 see the SA8S 3nfo Sec Keading Koom article GHardening Castion HostsG at www.sans.org#rr#whitepapers#basics#E*+.php. :or additional information about bastion hosts1 see GHow Castion Hosts !orkG at http"##thor.info.uaic.ro#\busaco#teach#docs#intranets#ch.L.htm. :or information about how to troubleshoot the Security Configuration and Analysis Tool1 see the Microsoft Fnowledge Case article G-roblems After Bou 3mport Multiple Templates 3nto the Security Configuration and Analysis ToolG at http"##support.microsoft.com#?kbid4*N6.*5. :or information about site security1 see the GSite Security HandbookG at www.fa=s.org#rfcs#rfc*.6L.html.
.-'
)ore In&or"ation
The following links provide additional information about topics that relate to hardening servers that run !indows Server *++, with S-.. :or more information about security at Microsoft1 see the Trustworthy Computing" Security page at www.microsoft.com#mscorp#twc#default.msp9. :or more detail about how M$: can assist in your enterprise1 see the Microsoft $perations :ramework page at www.microsoft.com#technet#itsolutions#cits#mo#mof#default.msp9.
Security %oo#s
The following tools are available either with the !indows Server) *++, operating system or as free downloads from the Microsoft !eb site.
Security Con&i(uration
ditor
The Security Configuration ?ditor /SC?0 tools are used to define security policy templates that can be applied to individual computers or to groups of computers through Active Directory Hroup -olicy. The SC? first appeared as an add%on for !indows 8T( E.+ and has become an integral part of Hroup -olicy. The SC? is no longer a separate component and is used in the following Microsoft Management Console /MMC0 snap%ins and administrative utilities" MMC Security Configuration and Analysis snap%in MMC Security Templates snap%in Hroup -olicy ?ditor snap%in /used for the Security Settings portion of the Computer Configuration tree0 Local Security Settings tool Domain Controller Security -olicy tool Domain Security -olicy tool
.-:
Cecause all of these tools use the SC?1 !indows administrators en7oy a consistent1 powerful interface to create and edit policies whether they are intended for a stand%alone computer or will be deployed as a H-$. Bou can find more information about SC? from !indows Help.
The Hroup -olicy Management Console with Service -ack . is available as a free download for all !indows Server *++, customers at www.microsoft.com#downloads#details.asp9?:amily3D4+aLdEc*E%>cbd%Eb,5%6*N*% dd,cbfc>.>>NODisplayLang4en.
.-;
Selected computer roles Selected computer tasks Kegistry settings -olicy settings Audit policies
Also1 SC! policies can be linked to one or more policy templates to provide additional functionality that is not native to SC!1 such as system service or registry access control lists /ACLs0.
-olicy templates are supported by almost all of the tools that are listed earlier in this appendi91 and the same template format can be used for both local computer policies and Active Directory Hroup -olicies. Cefore they can be used1 the templates must be imported by the appropriate tool.
.--
The !M3 filter link1 if there is one /but not the filter itself0 Links to 3- Security policies1 if any 2ML report of the H-$ settings1 which can be viewed as HTML from within H-MC Date and time stamp of when the backup was taken Jser%supplied description of the backup
However1 this backup does not save any of the data that is e9ternal to the H-$. 3n particular1 this file will not contain link information for sites1 domains1 or $Js and it will not contain the actual !M3 filters or 3- security policies.
Jser rights1 which are discussed in Chapter E1 GThe Member Server Caseline -olicy.G
20.
Security options1 which are discussed in Chapter E1 GThe Member Server Caseline -olicy.G Accounts" Limit local account use of blank passwords to console logon only Domain Member" Digitally encrypt or sign Secure channel Data /always0 Domain Member" Digitally encrypt Secure channel Data /when possible0 Domain Member" Digitally sign Secure channel Data /when possible0 Domain member" re=uire strong /!indows *+++ or later0 session key 8etwork access" Allow anonymous S3D#8ame translation 8etwork Access" Do not allow anonymous enumeration of SAM accounts 8etwork access" do not allow enumeration of SAM accounts and shares 8etwork Access" Let ?veryone permissions apply to anonymous users 8etwork Access" Kemotely Accessible Kegistry -aths 8etwork Access" Kestrict Anonymous access to named pipes and shares 8etwork Access" Shares that can be accessed anonymously 8etwork Access" Sharing and Security Model for Local Accounts 8etwork Security" Do not store LA8 manager hash value on ne9t password change 8etwork Security" LA8 Manager Authentication Level
Additional registry settings1 which are discussed in Chapter E1 GThe Member Server Caseline -olicy.G Safe DLL Search Mode.
20)
?ach worksheet contains the following columns" The H column1 %olicy Settin" .ame in (ser )nterface1 is the name of the setting as it appears in the !indows Server *++, Hroup -olicy ?ditor snap%in. The R column1 2e"acy Client1 is the recommended value for that setting in the LC environment. The F column1 !nterprise Client1 is the recommended value for that setting in the ?C environment. The L column1 SS201 is the recommended value for that setting in the SSL: environment.
To make the spreadsheet easy to read1 additional columns were used to illustrate the hierarchy of ob7ects within the Hroup -olicy ?ditor. Columns A through H are used to represent one level each of the hierarchy. :or e9ample1 Computer Confi"uration appears in column A1 and Security Settin"s appears in column C. Column 3 was also inserted to help with readability.
Scope
The Windows Server 2003 Security Guide was tested in a lab that simulated three different security environmentsILegacy Client /LC01 ?nterprise Client /?C01 and Speciali'ed Security @ Limited :unctionality /SSL:0. These environments are described in Chapter .1 G3ntroduction to the !indows Server *++, Security Huide.G Tests were conducted based on the criteria that are described in the following GTest $b7ectivesG section. A vulnerability assessment of the test lab environment that was used to secure the Windows Server 2003 Security Guide solution was out of scope for the test team.
%est Ob:ectives
The Windows Server 2003 Security Guide test team was guided by the following test ob7ectives" <alidate the recommended changes in security settings for the three security levels that are defined in the guide. Keasons for these changes include" Changes caused by the release of S-. for !indows Server *++,. Jse of the new Security Configuration !i'ard /SC!0 tool that became available in S-. and new features such as !indows :irewall. 3nternal and e9ternal feedback that was received about the previous version of the guide.
?nsure that the security settings and configuration changes that are recommended in the guide meet the re=uirements of the LC1 ?C1 and SSL: environments. ?nsure that hardened domain member servers are able to successfully perform their role tasks.
20'
?nsure that communication between the client computers and the domain controllers is not negatively affected. <erify that all prescriptive guidance is clear1 complete1 and technically correct.
:inally1 the guidance should be repeatable and reliably usable by a Microsoft Certified Systems ?ngineer /MSC?0 with two years of e9perience.
%est
nviron"ent
The test lab networks that were developed to test this guide were similar to those that were used in the previous version of the guide. Three separate but similar networks were developed1 one for each of the defined environments. ?ach test network consisted of a !indows Server *++, with S-. Active Directory( directory service forest1 computers for infrastructure server roles that provided domain controller1 D8S1 !38S and DHC- services1 and other computers for application server roles that provided file1 print1 and !eb services. The ?C network also included computers for the Certificate Services and 3AS server roles1 and the Castion Host /CH0 server role was included in the SSL: network. Also1 the ?C and SSL: networks included Microsoft $perations Manager /M$M0 *++5 and Systems Management Server /SMS0 *++, to manage and monitor the domain member servers and client computers. These networks also included Microsoft ?9change Server *++, for e%mail service. The client computers in the different networks used !indows 2- -rofessional with S-* and !indows *+++ -rofessional with S-E. The LC network also included client computers that ran the !indows 6> SK* and !indows 8T( E.+ workstation with S-La operating systems.
206
The following diagram shows the test lab network that was developed for the ?C environment.
0i"ure - 1 2o"ical dia"ram of t'e test lab networ= for t'e !C environment To verify replication scenarios between hardened domain controllers1 the Active Directory forest consisted of two sites. $ne site was the main office site with an empty root domain and a child domain that consisted of the previously mentioned server and client computers. The second site consisted merely of a single second domain controller of the child domain.
20:
The following diagram shows the test lab network that was developed for the SSL: environment.
0i"ure - 2 2o"ical dia"ram of t'e test lab networ= for SS20 environment
%estin( )ethodo#o(y
This section describes the procedures that were followed to test the Windows Server 2003 Security Guide. The test team established a lab that incorporated the three networks that are described in the previous section. A =uick proof of concept /-$C0 test pass and then two more robust test cycles were e9ecuted. During each pass the team strove to stabili'e the solution. A test cycle was defined as a se=uence of the following phases" .. Security Configuration Cuild phase Manual configuration phase Hroup -olicy configuration phase
*. Test ?9ecution phase The details of each phase are provided in the following G-hases in a Test -assG section. The GTest -reparation -haseG section describes the steps that were performed to ensure that the lab environment was free of any issues that could cause a misinterpretation of the actual test results after the three environments were hardened through the first two incremental build phases. 3t is also referred to as the SbaselineT state.
20;
20-
To perform t'e manual confi"uration p'ase .. Jse the Microsoft Management Console /MMC0 Computer Management snap%in to perform the prescribed policy setting changes /such as the local administrator account and password0 on each member computer. Complete the following steps to secure the domain accounts" a. ?nsure that the built%in local Administrator account has a comple9 password1 has been renamed1 and has had its default account description removed. b. Kename the Huest accounts on the host and disable them. c. 3ncorporate any additional recommendations from the guide about how to secure the domain accounts.
*. Add any uni=ue security groups or accounts to the user rights settings as described in the chapters. ,. -erform all other applicable manual hardening procedures as prescribed in each chapter. :or e9ample1 enable Manual Memory Dumps and ?rror reporting configuration.
The following steps were repeated for each of the three security environments" To create Group %olicy ob,ects .. ?nsure that all re=uired applications1 services1 and agents were installed on each domain member in the baseline network. :or e9ample1 ensure that the M$M agent was installed on all the domain member servers that will be managed by M$M. *. Jse the MMC Active Directory Jsers and Computers snap%in to create the described $J structure. ,. Create the Domain -olicy H-$ with the .inf security template. This step does not re=uire the use of SC!. E. Jse the SC! tool to create 2ML@based security templates for each server role that is described in the guide. -rescriptive steps are described in Chapter *1 G!indows Server *++, Hardening MechanismsG and each individual server role chapter. !hen you perform this step1 include the appropriate .inf security template for the server role. The template files are included with the downloadable version of this guide.
2.0
5. Jse the Scwcmd command%line tool to convert the 2ML security templates that were created in the previous step to H-$s. L. Kepeat step E on the Castion Host server to create the Castion Host 2ML security template and then use SC! again to convert and apply it to the Local H-$. After the H-$s are successfully created1 compare the settings with the guidance in the chapters to identify any incorrect configurations. At this stage1 all the domain member servers reside in the Computers $J. These servers are then moved to their respective $Js under the Member Server $J. The ne9t task /detailed in the following procedure0 is to apply each of these H-$s to the respective $Js. The Hroup -olicy Management Console /H-MC0 tool was used to link the H-$ with the $J. The Domain Controller -olicy H-$ was linked last. The following steps were performed to complete the rest of the Security Configuration Cuild phase" To apply Group %olicy ob,ects .. Link the Domain -olicy H-$ to the domain ob7ect.
3ote$ 6f default 581 links are alread" present or if there are multiple 581s# "ou mi&ht need to elevate the 581 links in the priorit" list.
*. Jse the Hroup -olicy Management Console tool to link the Member Server Caseline -olicy H-$ to the Member Servers $J. /Bou can also perform this step with the MMC Active Directory Jsers and Computers snap%in.0 ,. Link each individual server role H-$ to the appropriate server role $J. E. Link the Domain Controller -olicy H-$ to the Domain Controller $J. 5. To ensure application of the latest Hroup -olicy settings1 e9ecute gpudpate /force at a command prompt on all domain controllers. Then restart all the domain controllers one at a time1 starting with the primary domain controller. Allow sufficient time for Active Directory to replicate the changes between the sites.
I portant$ 6t is ver" important to restart the domain controllers after "ou appl" the 7omain Controllers 8olic" 581. 6f "ou do not perform this step "ou ma" see replication errors in the 7irector" +ervice folder or /serenv errors in the Application folder of 2vent Ciewer.
L. Kepeat step 5 on all of the domain member servers. N. Check ?vent <iewer for any errors. Keview the error logs to troubleshoot and resolve any failures. >. $n the Castion Host server1 use the SC! tool to apply the Castion Host 2ML security template on the Local H-$ of the server.
2..
,. 3n the /esultant Set of %olicy console1 e9pand Console /oot and browse to Computer Confi"uration. E. Kight%click Computer Confi"uration and click %roperties. The list of H-$s will display in the Computer Confi"uration %roperties panel. The H-$ that was applied to the $J should be available in the list1 and there should be no errors associated with it.
The test team e9ecuted the set of test cases that are included in ZWindows Server 2003 Security Guide Tools and Templates\Test Tools folder. /The tools and templates are included with the downloadable version of this guide.0 These tests were e9ecuted on each of the three separate networks e9cept for those that tested components that were only available in one networkIsuch as Certificate Services1 which was only available in the ?C environment. 3n addition to these test cases1 manual testing was performed at various timeIfor e9ample1 to periodically check ?vent <iewer logs or to verify any specific issues that were discovered in the previous version of the guide. All issues that were found were logged in a database and triaged with members of the development team until they were resolved. More detailed information about the different types of tests that were performed is provided in the ne9t section.
2.2
-rint1 and !eb0 are available to the client computers after the network servers are hardened. :or the LC environment1 these tests ensured that those client computers that run !indows 8T E.+ S-La and !indows 6> were able to authenticate with the !indows Server *++, Active Directory domain.
Script Tests
Some of the client test scenarios were scripted in <CScript. These test cases are primarily concerned with proper functionality of !indows 2- client computers that use network@based services1 such as domain logon1 password change1 and print server access. The <CScript files for these test cases are available in the \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder that is included in the downloadable version of this guide.
$e#ease Criteria
The primary release criterion for the Windows Server 2003 Security Guide was related to the severity of bugs that were still open. However1 other issues that were not being tracked through bugs were also discussed. The criteria for release are" 8o bugs are open with severity levels . and *. All open bugs are triaged by the leadership team1 and their impacts are fully understood.
2.)
Solution guides are free of comments and revision marks. The solution successfully passes all test cases in the test lab environment. Solution contents have no conflicting statements.
-u( C#assi&ication
The bug severity scale is described in the following table. The scale is from . to E1 with . as the highest severity and E as the lowest severity. Table - 1 #u" Severity Classification Severity . Most common types @ Cug blocked build or further testing. @ Cug caused une9pected user accessibility. @ Steps defined in the documentation were not clear. @ Kesults or behavior of a function or process contradicts e9pected results /as documented in functional specification0. @ Ma7or mismatch between the security template files and the functional specification. @ Steps defined in the guide are not clear. @ Documented functionality is missing /in this case1 test was blocked0. @ Documentation is missing or inade=uate. @ 3nconsistency between security template files and content in the guide1 but security template file is in sync with functional specification. @ Documented format issue. @ Minor documentation errors and inaccuracies. @ Te9t misspellings. Conditions re8uired @ Solution did not work. @ Jser could not begin to use significant parts of the computer or network. @ Jser had access privileges that should not be allowed. @ Jser access was blocked to certain server/s0 that should be allowed. @ ?9pected results were not achieved. @ Testing cannot proceed without being addressed. @ Jser had no simple workaround to amend the situation. @ Jser could not easily figure out a workaround. @ -rimary business re=uirements could not be met by the computer or network.
@ Jser has a simple workaround to mend situation. @ Jser can easily figure out workaround. @ Cug does not cause a bad user e9perience. @ -rimary business re=uirements are still functional. @ Clearly not related to this version.
2.(
Su""ary
This appendi9 enables an organi'ation that uses the Windows Server 2003 Security Guide to understand the procedures and steps that were used to test the implementation of the solution in a test lab environment. The actual e9perience of the Windows Server 2003 Security Guide test team is captured in this appendi91 which includes descriptions of the test environment1 types of tests1 the release criteria1 and bug classification details. All of the test cases that were e9ecuted by the test team passed with the e9pected results. The test team confirmed that the re=uisite functionality was available after the recommendations from the Windows Server 2003 Security Guide for the defined environments were applied.
3cknow#ed("ents
The Microsoft Solutions for Security and Compliance group /MSSC0 would like to acknowledge and thank the team that produced the Windows Server 2003 Security Guide. The following people were either directly responsible or made a substantial contribution to the writing1 development1 and testing of this solution.
Authors
Mike Danseglio Furt Dillard Ros_ Maldonado Crad !arrender
Kelease Managers
:licka Crandell Farl Seng1 Siemens 0!ency Services
Testers
Fenon Cliss1 +o#t "nformation Sciences Haurav Singh Cora1 "nfosys Techno#o!ies -aresh Hu7ar1 "nfosys Techno#o!ies <ince Humphreys1 +o#t "nformation Sciences Ashish Rava1 "nfosys Techno#o!ies Mehul Mediwala1 "nfosys Techno#o!ies Kob -ike <arun Kastogi1 "nfosys Techno#o!ies
Content Contributors
Liam Colvin1 3Shar)* ((C !illiam Di9on1 +, Security "ncTony Dowler1 3Shar)* ((C ?ric :it'gerald Devin Hanger1 3Shar)* ((C Stirling Hoet' 3an Hellen Resper Rohansson Steve Kyan1 Content Master Firk Soluk
Keviewers
Koger Abell1 0ri1ona State 2niversity Rose Luis Auricchio Avi Cen%Menahem Kich Cenack Shelly Cird Susan Cradley Steve Clark Kob Cooper Duane Crider Farel Dekyvere Christine Duell ?ric :it'gerald Mike Hreer Kobert Hensing Chad Hilton Andrew Mason
-rogram Managers
Comani Siwatu Alison !oolford1 Content Master
?ditors
Keid Cannecker !endy Cleary1 S.T /nsite Rohn Cobb1 +o#t "nformation Sciences Felly McMahon1 Content Master Lynne -erry1 Content Master Ron Tobey Steve !acker1 !adeware LLC
2.6
Don McHowan Rames 8oyce Roe -orter Roel Scambray Debra Little7ohn Shinder Tom Shinder Steve Smegner Cen Smith Allen Stewart Didier <andenbroeck Kyan <atne Reff !illiams Rim !hitney1 Confi!uresoft Shain !ray
Chase Carpenter Reff Cohen Rohn Dwyer Sean :innegan Farl Hrunwald Roanne Fennedy Farina Larson1 +o#t "nformation Sciences Chrissy Lewis1 Siemens 3usiness Services David Mowers Reff 8ewfeld Kob $ikawa <ishnu -atankar -eter Meister Feith -roctor Cill Keid Sandeep Sinha Stacy Tsurusaki1 +o#t "nformation Sciences David <isintainer1 +o#t "nformation Sciences Hraham !hiteley Kob !ickham Lori !oehler Ray Mhang
$ther Contributors
3gnacio Avellaneda Hanesh Calakrishnan Tony Cailey Shelly Cird 8athan Cuggia Derick Campbell
At the re=uest of Microsoft1 The Center for 3nternet Security /C3S0 and the Jnited States Department of Commerce 8ational 3nstitute of Standards and Technology /83ST0 participated in the final review of these Microsoft documents and provided comments1 which were incorporated into the published versions.