Server hardening

This excerpt from Microsoft Windows Group Policy Guide discusses the basic security baseline for a member server that is running in a Windows Server 2003 Active Directory domain. In addition, best practice security configurations in the security templates, specific types of member servers and domain controllers will be covered.

stwepsMicrosoft Windows Group Policy Guide The following excerpt series from Chapter 5 of "Microsoft Windows Group Policy Guide" by William R. Stanek, Darren Mar-Elia and Derek Melber is provided by Microsoft Press, copyright 2005. Click here to purchase the book.

 


Server hardening

Server hardening consists of creating a baseline for the security on your servers in your organization. The default configurations of a Windows Server 2003 computer are not designed with security as the primary focus. Rather, a default installed computer is designed for communication and functionality. To protect your servers, you must establish solid and sophisticated security policies for all types of servers in your organization.

In this section, we will discuss the basic security baseline for a member server that is running in a Windows Server 2003 Active Directory domain. We will also discuss the best-practice security configurations in the security templates, starting with the generic best practices that apply to most member servers in the organization. We will then move on to the specific types of member servers, as well as domain controllers. We will discuss which services, ports, applications, and so forth need to be hardened for different server roles, and compare this to the baseline security for simple member servers.

 

TABLE OF CONTENTS
    Member servers
    Domain controllers
    File and print servers
    Web servers

 

  Member servers

You must establish a baseline of security for all members servers before creating additional security templates and policies to tailor security for specific types of servers. One of the most important aspects of applying hardening settings to member servers is developing the OU hierarchy that will support the security template and policies that you develop. You must also understand the various levels of security that are routinely used to develop and deploy security to all servers.

OU design considerations

The only way to efficiently and successfully deploy security to the different server roles in your enterprise is to design Active Directory to support those roles. The design should not only provide an efficient method to deploy security, but it should also organize the computer accounts into OUs for easier management and troubleshooting.

Although Active Directory design is extremely flexible, you must consider a number of factors when organizing servers into OUs based on server role. The first factor is Group Policy application. For example, if you have two server roles that each need different security policy settings, you should separate the computer accounts into different OUs. The second factor is administration of the computer accounts within Active Directory. Even though you have only two different server roles, you might have two different administrators controlling the same type of server role. This might force you to have OUs not only for server roles, but also for server roles based on the administrator in charge.

Figures 5-7 illustrates an OU structure that does not consider location or administrative needs but does consider server roles. Figure 5-8 illustrates an OU structure that has a different set of administrators for the Main Office and Branch Office, where each office also has the same types of server roles.

 

Figure 5-7: An OU structure based on server roles only

 

 

Figure 5-8: An OU structure that considers location and administrative needs as well as server roles

 

TIP   OUs are also commonly organized by physical location -- for example, the Main Office and Branch Office model. For more information on organizing OUs based on GPO deployment, see Chapter 4.

Member server security environment levels

Member server security environments are based on the operating systems of the clients and servers in your enterprise. Legacy clients and servers can't take advantage of the robust features and functions that Active Directory provides, such as Group Policy, Kerberos, and other security features. As the operating systems of domain members rise to levels that support all Active Directory functions and features, it becomes possible to raise the overall security for the enterprise and thus create a solid security environment.

There are three different security environment levels typically found in an enterprise environment:

  • Legacy Client   When you have a mixed operating system environment of new and older versions, you must provide adequate security that will not constrain the operation of legacy clients. This is the lowest security level, but it needs to be that way for communication to occur and legacy applications to work properly. This business environment might include legacy clients such as Windows 95, Windows 98, or Windows NT 4.0 Workstation. You should limit this environment to having only Windows 2000 Server and Windows Server 2003 domain controllers. You should not support Windows NT 4.0 Server domain controllers, although you can have Windows NT Server computers configured as member servers.

     

  • Enterprise Client   This security level removes the legacy operating systems and uses only those that support the features and functions that Active Directory offers. This includes clients running Windows 2000 Professional and Windows XP Professional. These clients all support Group Policy, Kerberos authentication, and new security features that the legacy clients don't support. The domain controllers must be Windows 2000 Server or later. There will not be any Windows NT Server computers, even as member servers.

     

  • High Security   This security level is basically the same as for Enterprise Client -- it changes only the level of security that is implemented. This level enhances security standards so that all computers conform to stringent security policies for both clients and servers. This environment might be constrictive enough that loss of functionality and manageability occurs. However, this must be acceptable because the higher security levels are a good tradeoff for the functionality and manageability that you are losing.

 

"Windows Server 2003 Security Guide"
The three enterprise environments described earlier and the procedures outlined in this chapter for hardening different server roles in each environment are discussed more fully in the Windows Server 2003 Security Guide. The Security Guide also includes a set of additional security templates that can be imported into GPOs to harden different server roles in legacy client, enterprise client, and high security environments. It also includes additional procedures for hardening security settings that cannot be configured using Group Policy. Using these additional security templates can simplify the hardening of different server roles on your network, and you can further customize these security templates to meet the specific needs of your Active Directory environment.

Security settings for member servers

This section will cover some common security settings that apply to standard member servers in the domain. These settings are best created in a GPO that is then linked to the top-level server OU. In Figure 5-7 or 5-8, this would be the Member Servers OU.

Table 5-7 provides a full list of security settings for a member server.

 

NOTE   Account Policies, which include Password Policy, Account Lockout Policy, and Kerberos Policy, are not specified in the member servers security baseline outlined here. This is because Account Policies must be defined at the domain level in Active Directory, while the member servers security baseline is defined in GPOs linked to OUs where member servers are found. For best practices concerning domain Account Policies, see "Account Policies" under "Sections of the Security Template" earlier in this chapter, and also refer to the Windows Server 2003 Security Guide described in the "Windows Server 2003 Security Guide" sidebar.

Table 5-7   Security settings for member servers

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
Auditing
Account Logon
Events
Success
Failure
Success
Failure
Success
Failure
Account Management Success
Failure
Success
Failure
Success
Failure
Directory Service
Access
Success
Failure
Success
Failure
Success
Failure
Logon Events Success
Failure
Success
Failure
Success
Failure
Object Access Success
Failure
Success
Failure
Success
Failure
Policy Change Success Success Success
Privilege Use No Auditing Failure Success
Failure
Process Tracking No Auditing No Auditing No Auditing
System Events Success Success Success

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
User Rights
Access this computer
from the network
Not Defined
(Use defaults)
Not defined
(Use defaults)
Administrators,
Authenticated Users
Act as part of the
operating system
Not Defined
(Use defaults)
Not defined
(Use defaults)
Revoke all security
groups and
accounts
Add workstations
to domain
Not Defined
(Use defaults)
Not defined
(Use defaults)
Administrators
Adjust memory
quotas for a process
Not Defined
(Use defaults)
Not defined
(Use defaults)
Administrators,
NETWORK SERVICE,
LOCAL SERVICE
Allow log on locally Administrators,
Backup Operators,
Power Users
Administrators,
Backup Operators,
Power Users
Administrators,
Backup Operators,
Power Users
Allow log on through
Terminal Services
Administrators,
Remote Desktop
Users
Administrators,
Remote Desktop
Users
Administrators
Change the
system time
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Debug programs Revoke all security
groups and
accounts
Revoke all security
groups and
accounts
Revoke all security
groups and
accounts
Deny access to this
computer from
the network

ANONYMOUS
LOGON; Built-in
Administrator,
Guests; SUPPORT_
388945a0;

Guest; all NON-
Operating System
service accounts

ANONYMOUS
LOGON; Built-in
Administrator,
Guests; SUPPORT_
388945a0;

Guest; all NON-
Operating System
service accounts

ANONYMOUS
LOGON; Built-in
Administrator,
Guests; SUPPORT_
388945a0;

Guest; all NON-
Operating System
service accounts

Deny log on
as a batch job
Guests; Support_
388945a0; Guest
Guests; Support_
388945a0; Guest
Guests; Support_
388945a0; Guest
Deny log on
Terminal Services
Built-in Adminis-
trator; Guests;
Support_388945a0;
Guest; all NON-
operating system
service accounts
Built-in Adminis-
trator; Guests;
Support_388945a0;
Guest; all NON-
operating system
service accounts
Built-in Adminis-
trator; Guests;
Support_388945a0;
Guest; all NON-
operating system
service accounts
Enable computer and
user accounts to be
trusted for delegation
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Revoke all security
groups and
accounts
Force shutdown from
a remote system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Generate security
audits
Not Defined
Not Defined
NETWORK SERVICE,
LOCAL SERVICE
Impersonate a client
after authentication
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Local Service;
Network Service
Increase scheduling
priority
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Load and unload
device drivers
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Lock pages in
memory
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Log on as a batch
job
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Revoke all security
groups and
accounts
Manage auditing
and security log
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Modify firmware
environment values
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Perform volume
maintenance tasks
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Profile single
process
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Profile system
performance
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Remove computer
from docking station
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Replace a process
level token
Not Defined
(Use defaults)
Not Defined
(Use defaults)
LOCAL SERVICE,
NETWORK SERVICE
Restore files and
directories
Not Defined
(Use defaults)
Administrators Administrators
Shut down the
system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Synchronize directory
service data
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Revoke all security
groups and
accounts
Take ownership of
files or other objects
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
Security Options
Accounts: Guest
account status
Disabled Disabled Disabled
Accounts: Limit
local account use
of blank passwords
to console logon
Enabled Enabled Enabled
Audit: Audit the
access of global
system objects
Disabled Disabled Disabled
Audit: Audit the use
of Backup and
Restore privilege
Disabled Disabled Disabled
Audit: Shut down
system immediately
if unable to log
security audits
Disabled Disabled Enabled
Devices: Allow
undock without
having to log on
Disabled Disabled Disabled
Devices: Allowed to
format and eject
removable media
Administrators Administrators Administrators
Devices: Prevent
users from installing
printer drivers
Enabled Enabled Enabled
Devices: Restrict
CD-ROM access to
locally logged -- on
user only
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Enabled
Devices: Restrict
floppy access to locally
logged -- on user only
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Enabled
Devices: Unsigned
driver installation
behavior
Warn but allow
installation
Warn but allow
installation
Warn but allow
installation
Domain controller:
Allow server operators
to schedule tasks
Disabled Disabled Disabled
Domain controller:
LDAP server signing
requirements
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Require Signing
Domain controller:
Refuse machine
account password
changes
Disabled Disabled Disabled
Domain member:
Digitally encrypt or
sign secure channel
data (always)
Disabled Enabled Enabled
Domain member:
Digitally encrypt
secure channel data
(when possible)
Enabled Enabled Enabled
Domain member:
Digitally sign secure
channel data (when
possible)
Enabled Enabled Enabled
Domain member:
Disable machine
account password
changes
Disabled Disabled Disabled
Domain member:
Maximum machine
account password age
30 days 30 days 30 days
Domain member:
Require strong
(Windows 2000 or
later) session key
Enabled Enabled Enabled
Interactive logon:
Do not display last
user name
Enabled Enabled Enabled
Interactive logon:
Do not require
CTRL+ALT+DEL
Disabled Disabled Disabled
Interactive logon:
Message text for
users attempting
to log on
This system is
restricted to autho-
rized users. Indivi-
duals attempting
unauthorized access
will be prosecuted.
If unauthorized,
terminate access
now! Clicking on
OK indicates your
acceptance of the
information in
the background.
This system is
restricted to autho-
rized users. Indivi-
duals attempting
unauthorized access
will be prosecuted.
If unauthorized,
terminate access
now! Clicking on
OK indicates your
acceptance of the
information in
the background.
This system is
restricted to autho-
rized users. Indivi-
duals attempting
unauthorized access
will be prosecuted.
If unauthorized,
terminate access
now! Clicking on
OK indicates your
acceptance of the
information in
the background.
Interactive logon:
Message title for
users attempting to
log on
IT IS AN OFFENSE
TO CONTINUE
WITHOUT PROPER
AUTHORIZATION
IT IS AN OFFENSE
TO CONTINUE
WITHOUT PROPER
AUTHORIZATION
IT IS AN OFFENSE
TO CONTINUE
WITHOUT PROPER
AUTHORIZATION
Interactive logon:
Number of previous
logons to cache (in
case domain controller
is not available)
1 0 0
Interactive logon:
Prompt user to
change password
before expiration
14 days 14 days 14 days
Interactive logon:
Require Domain
Controller authenti-
cation to unlock
workstation
Enabled Enabled Enabled
Interactive logon:
Smart card removal
behavior
Not Defined
(Use defaults)
Lock Workstation Lock Workstation
Microsoft network
client: Digitally sign
communications
(always)
Disabled Enabled Enabled
Microsoft network
client: Digitally sign
communications
(if server agrees)
Enabled Enabled Enabled
Microsoft network
client: Send unencrypt-
ed password to third-
party SMB servers
Disabled Disabled Disabled
Microsoft network
server: Amount of idle
time required before
suspending session
15 minutes 15 minutes 15 minutes
Microsoft network
server: Digitally sign
communications
(always)
Disabled Enabled Enabled
Microsoft network
server: Digitally sign
communications
(if client agrees)
Enabled Enabled Enabled
Microsoft network
server: Disconnect
clients when logon
hours expire
Enabled Enabled Enabled
Network access: Do
not allow anonymous
enumeration of SAM
accounts
Enabled Enabled Enabled
Network access: Do
not allow anonymous
enumeration of SAM
accounts and shares
Enabled Enabled Enabled
Network access: Do
not allow storage of
credentials or .NET
Passports for network
authentication
Enabled Enabled Enabled
Network access: Let
Everyone permissions
apply to anonymous
users
Disabled Disabled Disabled
Network access:
Named Pipes that can
be accessed
anonymously
None None None
Network access:
Remotely accessible
registry paths
System\Current
ControlSet\Control\
ProductOptions;
System\Current
ControlSet\Control\
Server Applications;
Software\Microsoft\
Windows NT\
CurrentVersion
System\Current
ControlSet\Control\
ProductOptions;
System\Current
ControlSet\Control\
Server Applications;
Software\Microsoft\
Windows NT\
CurrentVersion
System\Current
ControlSet\Control\
ProductOptions;
System\Current
ControlSet\Control\
Server Applications;
Software\Microsoft\
Windows NT\
CurrentVersion
Network access:
Remotely
accessible
registry paths
and sub-paths
System\Current
ControlSet\Control\
Print\Printers
System\Current
ControlSet\Control\
Print\Printers
System\Current
ControlSet\Control\
Print\Printers



System\Current
ControlSet\
Services\Eventlog
System\Current
ControlSet\
Services\Eventlog
System\Current
ControlSet\
Services\Eventlog



System\Current
ControlSet\
Services\Eventlog

Software\
Microsoft\
OLAP Server

System\Current
ControlSet\
Services\Eventlog

Software\
Microsoft\
OLAP Server

System\Current
ControlSet\
Services\Eventlog

Software\
Microsoft\
OLAP Server




Software\Microsoft\
Windows NT\
CurrentVersion\Print
Software\Microsoft\
Windows NT\
CurrentVersion\Print
Software\Microsoft\
Windows NT\
CurrentVersion\Print



Software\Microsoft\
Windows NT\
CurrentVersion\
Windows
Software\Microsoft\
Windows NT\
CurrentVersion\
Windows
Software\Microsoft\
Windows NT\
CurrentVersion\
Windows



System\Current
ControlSet\Control\
ContentIndex
System\Current
ControlSet\Control\
ContentIndex
System\Current
ControlSet\Control\
ContentIndex



System\Current
ControlSet\Control\
Terminal Server
System\Current
ControlSet\Control\
Terminal Server
System\Current
ControlSet\Control\
Terminal Server



System\Current
ControlSet\Control\
Terminal Server\
UserConfig
System\Current
ControlSet\Control\
Terminal Server\
UserConfig
System\Current
ControlSet\Control\
Terminal Server\
UserConfig



System\Current
ControlSet\Control\
Terminal Server\
DefaultUser
Configuration
System\Current
ControlSet\Control\
Terminal Server\
DefaultUser
Configuration
System\Current
ControlSet\Control\
Terminal Server\
DefaultUser
Configuration



Software\
Microsoft\
Windows NT\
CurrentVersion\
Perflib
Software\
Microsoft\
Windows NT\
CurrentVersion\
Perflib
Software\
Microsoft\
Windows NT\
CurrentVersion\
Perflib



System\Current
ControlSet\Services\
SysmonLog
System\Current
ControlSet\Services\
SysmonLog
System\Current
ControlSet\Services\
SysmonLog
Network access:
Restrict anonymous
access to Named
Pipes and Shares
Enabled Enabled Enabled
Network access:
Shares that can be
accessed anonymously
None None None
Network access:
Sharing and security
model for local
accounts
Classic -- local
users authenticate
as themselves
Classic -- local
users authenticate
as themselves
Classic -- local
users authenticate
as themselves
Network security:
Do not store LAN
Manager hash value
on next password
change
Enabled Enabled Enabled
Network security:
LAN Manager
authentication level
Send NTLMv2
responses only
Send NTLMv2
response only/
refuse LM
Send NTLMv2
response only/
refuse LM and
NTLM
Network security:
LDAP client signing
requirements
Negotiate signing Negotiate signing Negotiate signing
Network security:
Minimum session
security for NTLM SSP
based (including
secure RPC) clients
No minimum Enabled all settings Enabled all settings
Network security:
Minimum session
security for NTLM SSP
based (including
secure RPC) servers
No minimum Enabled all settings Enabled all settings
Recovery console:
Allow automatic
administrative logon
Disabled Disabled Disabled
Recovery console:
Allow floppy copy
and access to all drives
and all folders
Enabled Enabled Disabled
Shutdown: Allow system
to be shut down with-
out having to log on
Disabled Disabled Disabled
Shutdown: Clear virtual
memory page file
Disabled Disabled Enabled
System cryptography:
Force strong key pro-
tection for user keys
stored on the computer
User is prompted
when the key is
first used
User is prompted
when the key is
first used
User must enter a
password each time
they use a key
System cryptography:
Use FIPS compliant
algorithms for
encryption, hashing,
and signing
Disabled Disabled Disabled
System objects:
Default owner for
objects created by
members of the
Administrators group
Object creator Object creator Object creator
System objects:
Require case
insensitivity for non-
Windows subsystems
Enabled Enabled Enabled
System objects:
Strengthen default
permissions of internal
system objects (such
as Symbolic Links)
Enabled Enabled Enabled
System settings:
Optional subsystem
None None None

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
Event Log
Maximum application
log size
16,384 KB 16,384 KB 16,384 KB
Maximum security
log size
81,920 KB 81,920 KB 81,920 KB
Maximum system
log size
16,384 KB 16,384 KB 16,384 KB
Prevent local guests
group from accessing
application log
Enabled Enabled Enabled
Prevent local guests
group from accessing
security log
Enabled Enabled Enabled
Prevent local guests
group from accessing
system log
Enabled Enabled Enabled
Retention method for
application log
As needed As needed As needed
Retention method for
security log
As needed As needed As needed
Retention method for
system log
As needed As needed As needed

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
System Services
Alerter Disabled Disabled Disabled
Application Layer
Gateway Service
Disabled Disabled Disabled
Application
Management
Disabled Disabled Disabled
ASP.NET State Service Disabled Disabled Disabled
Automatic Updates Automatic Automatic Automatic
Background Intelligent
Transfer Service
Manual Manual Manual
Certificate Services Disabled Disabled Disabled
MS Software Shadow
Copy Provider
Manual Manual Manual
Client Service for
Netware
Disabled Disabled Disabled
ClipBook Disabled Disabled Disabled
Cluster Service Disabled Disabled Disabled
COM+ Event System Manual Manual Manual
COM+ System
Application
Disabled Disabled Disabled
Computer Browser Automatic Automatic Automatic
Cryptographic
Services
Automatic Automatic Automatic
DHCP Client Automatic Automatic Automatic
DHCP Server Disabled Disabled Disabled
Distributed Link
Tracking Client
Disabled Disabled Disabled
Distributed Link
Tracking Server
Disabled Disabled Disabled
Distribution
Transaction
Coordinator
Disabled Disabled Disabled
DNS Client Automatic Automatic Automatic
DNS Server Disabled Disabled Disabled
Error Reporting
Service
Disabled Disabled Disabled
Event Log Automatic Automatic Automatic
Fax Service Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
File Server for
Macintosh
Disabled Disabled Disabled
FTP Publishing Disabled Disabled Disabled
Help and Support Disabled Disabled Disabled
HTTP SSL Disabled Disabled Disabled
Human Interface
Device Access
Disabled Disabled Disabled
IAS Jet Database
Access
Disabled Disabled Disabled
IIS Admin Service Disabled Disabled Disabled
IIS IMAPI CD-Burning
COM Service
Disabled Disabled Disabled
Indexing Service Disabled Disabled Disabled
Infrared Monitor Disabled Disabled Disabled
Internet Authentication
Service
Disabled Disabled Disabled
Internet Connection
Firewall (ICF)/Internet
Connection Sharing
(ICS)
Disabled Disabled Disabled
Intersite Messaging Disabled Disabled Disabled
IP Version 6 Helper
Service
Disabled Disabled Disabled
IPSec Policy Agent
(IPSec Service)
Automatic Automatic Automatic
Kerberos Key
Distribution Center
Disabled Disabled Disabled
License Logging
Service
Disabled Disabled Disabled
Logical Disk Manager Manual Manual Manual
Logical Disk Manager
Administrative Service
Manual Manual Manual
Message Queuing Disabled Disabled Disabled
Message Queuing
Down Level Clients
Disabled Disabled Disabled
Message Queuing
Triggers
Disabled Disabled Disabled
Messenger Disabled Disabled Disabled
Microsoft POP3 Service Disabled Disabled Disabled
MSSQL$UDDI Disabled Disabled Disabled
MSSQLServerADHelper Disabled Disabled Disabled
.NET Framework
Support Service
Disabled Disabled Disabled
Netlogon Automatic Automatic Automatic
NetMeeting Remote
Desktop Sharing
Disabled Disabled Disabled
Network Connections Manual Manual Manual
Network DDE Disabled Disabled Disabled
Network DDE DSDM Disabled Disabled Disabled
Network Location
Awareness (NLA)
Manual Manual Manual
Nework News Transport
Protocol (NNTP)
Disabled Disabled Disabled
NTLM Support
Provider
Automatic Automatic Automatic
Performance Logs
and Alerts
Manual Manual Manual
Plug and Play Automatic Automatic Automatic
Portable Media
Serial Number
Disabled Disabled Disabled
Printer Server for
Macintosh
Disabled Disabled Disabled
Print Spooler Disabled Disabled Disabled
Protected Storage Automatic Automatic Automatic
Remote Access Auto
Connection Manager
Disabled Disabled Disabled
Remote Access
Connection Manager
Disabled Disabled Disabled
Remote Administration
Service
Manual Manual Manual
Remote Desktop Helper
Session Manager
Disabled Disabled Disabled
Remote Installation Disabled Disabled Disabled
Remote Procedure
Call (RPC)
Automatic Automatic Automatic
Remote Procedure
Call (RPC) Locator
Disabled Disabled Disabled
Remote Registry Service Automatic Automatic Automatic
Remote Server
Manager
Disabled Disabled Disabled
Remote Server
Monitor
Disabled Disabled Disabled
Remote Storage
Notification
Disabled Disabled Disabled
Remote Storage Server Disabled Disabled Disabled
Removable Storage Manual Manual Manual
Resultant Set of Policy
Provider
Disabled Disabled Disabled
Routing and Remote
Access
Disabled Disabled Disabled
SAP Agent Disabled Disabled Disabled
Secondary Logon Disabled Disabled Disabled
Security Accounts
Manager
Automatic Automatic Automatic
Server Automatic Automatic Automatic
Shell Hardware
Detection
Disabled Disabled Disabled
Simple Mail Transport
Protocol (SMTP)
Disabled Disabled Disabled
Simple TCP/IP Services Disabled Disabled Disabled
Single Instance
Storage Groveler
Disabled Disabled Disabled
Smart Card Disabled Disabled Disabled
SNMP Service Disabled Disabled Disabled
SNMP Trap Service Disabled Disabled Disabled
Special Administration
Console Helper
Disabled Disabled Disabled
System Event
Notification
Automatic Automatic Automatic
Task Scheduler Disabled Disabled Disabled
TCP/IP NetBIOS
Helper Service
Automatic Automatic Automatic
TCP/IP Print Server Disabled Disabled Disabled
Telephony Disabled Disabled Disabled
Telnet Disabled Disabled Disabled
Terminal Services Automatic Automatic Automatic
Terminal Services
Licensing
Disabled Disabled Disabled
Terminal Services
Session Directory
Disabled Disabled Disabled
Themes Disabled Disabled Disabled
Trival FTP Daemon Disabled Disabled Disabled
Uninterruptible
Power Supply
Disabled Disabled Disabled
Upload Manager Disabled Disabled Disabled
Virtual Disk Service Disabled Disabled Disabled
Volume Shadow Copy Manual Manual Manual
WebClent Disabled Disabled Disabled
Web Element Manager Disabled Disabled Disabled
Windows Audio Disabled Disabled Disabled
Windows Image
Acquisition (WIA)
Disabled Disabled Disabled
Windows Installer Automatic Automatic Automatic
Windows Internet
Name Service (WINS)
Disabled Disabled Disabled
Windows Management
Instrumentation
Automatic Automatic Automatic
Windows Management
Instrumentation Driver
Extensions
Manual Manual Manual
Windows Media
Services
Disabled Disabled Disabled
Windows System
Resource Manager
Disabled Disabled Disabled
Windows Time Automatic Automatic Automatic
WinHTTP Web Proxy
Auto-Discovery
Service
Disabled Disabled Disabled
Wireless Configuration Disabled Disabled Disabled
WMI Performance
Adapter
Manual Manual Manual
Workstation Automatic Automatic Automatic
World Wide Publishing
Service
Disabled Disabled Disabled

Ports required for member servers

For a member server to function on the network with other computers, specific ports must be opened. Table 5-8 presents a list of those critical ports. As we investigate specific server roles, additional ports will need to be added to ensure the server functions properly.

Table 5-8   Ports for member servers

Port Description
137 (NetBIOS name
service)
Used by the browse master service. This must be open
for WINS and browse master servers.
138 (NetBIOS datagram
service)
Must be open to accept inbound datagrams from NetBIOS
applications such as the Messenger service or the
Computer Browser service.
139 (NetBIOS session
service)
Must be closed unless you run applications or operating
systems that need to support Windows networking (SMB)
connections. If you run Windows NT 4.0, Windows
Millennium Edition, Windows 98, or Windows 95, this
port must be open on your servers.
445 (CIFS/SMB server) Used by basic Windows networking, including file sharing,
printer sharing, and remote administration.
3389 (Remote Desktop
Protocol)
Must be open if you are using Terminal Services for appli-
cation sharing, remote desktop, or remote assistance.

 

 

 

 

  Domain controllers  Return to Table of Contents

Domain controllers are the heart of any environment that runs Active Directory. These computers must be stable, protected, and available to provide the key services for the directory service, user authentication, resource access, and more. If there is any loss or compromise of a domain controller in the environment, the result can be disastrous for clients, servers, and applications that rely on domain controllers for authentication, Group Policy, and the LDAP directory.

Not only should these domain controllers be hardened with security configurations, they must also be physically secured in locations that are accessible only to qualified administrative staff. If domain controllers are stored in unsecured locations due to limitations of the facility (such as in a branch office), you should apply additional security configurations to limit the potential damage from physical threats against the computer.

Domain controller security environment levels

Along the same lines as the Member Server hardening guidelines, domain controllers also have different levels of security based on the environment in which they are deployed. These levels are the same as those defined in the "Member Servers" section in this chapter: Legacy Client, Enterprise Client, and High Security.

Security settings for domain controllers

Security settings that apply specifically to domain controllers are best created in a GPO that is then linked to the Domain Controllers OU. The settings for domain controllers should be based on those we reviewed in the earlier "Member Servers" section. Of course, a domain controller also has additional functions or features compared to a member server, and this requires additional open ports and security configuration. You must review the security settings list to ensure that you are not restricting a key feature for your domain controller.

Table 5-9 lists the settings that differ from those specified in Table 5-7. In other words, the baseline security settings for domain controllers as outlined below should be incrementally added to the baseline security settings for member servers described previously.

 

MORE INFO   For more information on hardening domain controllers in different enterprise environments, see the Windows Server 2003 Security Guide.

 

 

Table 5-9   Security settings for domain controllers

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
User Rights
Access this
computer from
the network
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators,
Authenticated Users,
ENTERPRISE DOMAIN
CONTROLLERS
Add workstations
to domain
Administrators Administrators Administrators
Allow log on locally Administrators Administrators Administrators
Allow log on through
Terminal Services
Administrators Administrators Administrators
Change the
system time
Administrators Administrators Administrators
Enable computer
and user accounts
to be trusted for
delegation
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators
Load and unload
device drivers
Administrators Administrators Administrators
Restore files and
directories
Administrators Administrators Administrators
Shutdown the
system
Administrators Administrators Administrators

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
Security Options
Network security:
Do not store LAN
Manager hash value
on next password
change
Disabled Enabled Enabled

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
System Services
Distributed File
System
Automatic Automatic Automatic
DNS Server Automatic Automatic Automatic
File Replication Automatic Automatic Automatic
Intersite Messaging Automatic Automatic Automatic
Kerberos Key
Distribution Center
Automatic Automatic Automatic
Remote Procedure
Call (RPC) Locator
Automatic Automatic Automatic

Ports required for domain controllers

Domain controllers are responsible for specific functions, as seen in the different settings listed in Table 5-9. Many of these different security template settings are due to required services to authenticate users and maintain consistency of the Active Directory database between other domain controllers. Table 5-10 lists additional ports that you must open for domain controllers.

Table 5-10   Ports for domain controllers

Port Description
88 (Kerberos) The Kerberos protocol is used by Windows 2000 and later
operating systems to log on and retrieve tickets for accessing
other servers.
123 (NTP) This port provides time synchronization for network clients
using the Network Time Protocol (NTP).
135 (RPC endpoint
mapper/DCOM)
This port allows RPC clients to discover the ports that the RPC
server is listening on.
389 (LDAP) This port the primary way that clients access Active Directory
to obtain user information, e-mail addresses, services, and
other directory service information.
464 (Kerberos
Password Changes)
This port provides secure methods for users to change
passwords using Kerberos.
636 (LDAP over SSL) This port is needed if LDAP will use SSL to provide encryption
and mutual authentication for LDAP traffic.
3268 (Global Catalog) This port provides the means for clients to search Active
Directory information that spans multiple domains.
3269 (Global Catalog
over SSL)
This port is needed because the Global Catalog uses SSL to
provide encryption and mutual authentication for Global
Catalog traffic.

 

 

 

NOTE   If your domain controller is running DNS, you will need to also open port 53.

 

  File and print servers

File and print servers are responsible for resource storage and controlling access to these resources throughout the enterprise. These servers house the company's documents, trade secrets, financial data, and much more. If these computers are not protected, the entire company might be in jeopardy. These computers must be stable, protected, and available to provide users and applications access to resources stored on these computers.

Like the domain controllers, these servers must be physically protected. If someone were to get hold of a file server, they could potentially use other tools to gain access to the resources on the server. You should take action to protect against this.

Table 5-11 lists security settings for file and print servers that differ from the settings in the Member Servers section earlier in the chapter. In other words, the baseline security settings for file and print servers as outlined here should be incrementally added to the baseline security settings for member servers described previously. These settings are best created in a GPO that is then linked to the OU that contains the file servers.

 

MORE INFO   For more information on hardening file and print servers in different enterprise environments, see the Windows Server 2003 Security Guide.

Table 5-11   Security settings for file and print servers

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
Security Options
Microsoft network server:
Digitally sign communi-
cations (always)
Disabled (Print
Servers only)
Disabled (Print
Servers only)
Disabled (Print
Servers only)

 

 

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
System Services
Distributed File System Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
Print Spooler Automatic (Print
Servers only)
Automatic (Print
Servers only)
Automatic (Print
Servers only)

 

  Web servers

Microsoft Internet Information Services (IIS) is the service that provides Web services on a Windows server. Web servers must be properly secured from malicious attackers, while still allowing legitimate clients to access intranet or public Web sites hosted on the server.

IIS is not installed by default on the Windows Server 2003 family of servers, and when you do install IIS, it installs in "locked" mode -- a highly secure mode that protects IIS against threats. Beyond the best-practice security settings presented in this section for IIS, be sure to protect your Web servers by monitoring security using some form of intrusion detection system, and by implementing proper incident response procedures.

Security settings for Web servers

Security settings for Web servers are best created in a GPO that is then linked to the OU that contains the Web servers. Table 5-12 lists only the settings that differ from those in the Table 5-7. In other words, the baseline security settings for Web servers as outlined here should be incrementally added to the baseline security settings for member servers described previously.

 

MORE INFO   For more information on hardening Web servers in different enterprise environments, see the Windows Server 2003 Security Guide.

Table 5-12   Security settings for Web servers

Security Setting Legacy Client
Configuration
Enterprise Client
Configuration
High Security
Configuration
User Rights
Deny access to
this computer
from the network
ANONYMOUS
LOGON; Built-
in Administrator;
Support_ 388945a0;
Guest; all NON-
Operating System
service accounts
ANONYMOUS
LOGON; Built-
in Administrator;
Support_ 388945a0;
Guest; all NON-
Operating System
service accounts
ANONYMOUS
LOGON; Built-
in Administrator;
Support_ 388945a0;
Guest; all NON-
Operating System
service accounts
System Services
HTTP SSL Automatic Automatic Automatic
IIS Admin Service Automatic Automatic Automatic
World Wide Web
Publishing Service
Automatic Automatic Automatic

Ports required for Web servers

Web servers should have limited ports available, to reduce their exposure to attacks from the local network and the Internet. The fewer the ports that are open, the better. Table 5-13 is a list of additional ports that you will need to open for Web servers.

Table 5-13   Ports for Web servers

Ports Description
80 (HTTP) The standard HTTP port for providing Web services to users. This
can be easily changed and is not required. If you do change the port
for HTTP, be sure to add that new port to this list and configure that
setting within IIS.
443 (HTTPS) Allows HTTP to have a higher level of security that provides integrity,
encryption, and authentication for Web traffic.

Click for the next excerpt in this series: Client hardening

 


Click for the book excerpt series or visit www.microsoft.com to purchase "Microsoft Windows Group Policy Guide."

 


 

This was first published in November 2005

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close