• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint

Server Security Checklist

Microsoft provides a checklist at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp, but I have created a checklist for you by using theirs and other resources (see Table 4-2).

Table 4-2. Server Security Checklist
Security Step Record Old Setting (if appropriate) Date Changed New Setting
Have you done all the steps in the workstation security checklist first?   
Is your server software up-to-date on patches and service packs?   
\REPAIR\ set to Administrators: Full Control, System: Full Control and remove all other permissions.   
\SYSTEM32\CONFIG\ set to Administrators: Full Control, System: Full Control, Creator Owner: Full Control, Authenticated: List   
\SYSTEM32\SPOOL\ set to Administrators: Full Control, System: Full Control, Creator Owner: Full Control, Authenticated Users: Read, Server Operators: Change   
\COOKIES, \FORMS, \HISTORY, OCCACHE set to Administrators: Full Control, Creator Owner: Full Control, Authenticated Users: Special Directory Access (R, W, X), Authenticated Users: Special File Access (R).   
\PROFILES, \PROFILES\XXXX\SENDTO, \TEMPORARY INTERNET FILES set to System: Full Control. In this case, XXXX represents a username and there may be many of these keys to secure, depending on the number of users on the server.   
In the Root Directory set the permissions on \TEMP to Administrators: Full Control, System: Full Control, Creator Owner: Full Control, Authenticated Users: Special Directory Access (R, W, X), Authenticated Users: Special File Access (R).   
On the files BOOT.INI, NTLDR, and NTDETECT.COM, set Administrators: Full Control and System: Full Control.   
On the files AUTOEXEC.BAT and CONFIG.SYS (if present), set Administrators: Full Control, System: Full Control, Authenticated Users: Read.   
Did you turn on Audit Logon Event Success and Failure, Account Management Events Success and Failure, Logon Events Success and Failure, Object Access Success and Failure, Policy Change Success and Failure, System Events Success and Failure?   
Set the account policies to the listed settings:

Enforce Password History: 5

Maximum Password Age: 60–90 days

Minimum Password Age: 1

Account Lockout Threshold: 5

Account Lockout Duration: 240

Reset Account Lockout Threshold: Never (Manually Reset)
   
Disable or unbind from external interfaces:

Alerter

Clipbook Server

Dynamic Host Configuration Protocol (DHCP)

Windows Internet Naming System (WINS)

Directory Replicator

Messenger

Network DDE

Network DDE DSDM

Schedule

Simple TCP/IP Services

Simple Network Management Protocol (SNMP)

Services for Macintosh

If you are using IIS, do not install FTP or Gopher unless absolutely necessary.
   
Did you enable and password-protect a screen saver, preferably one that forces logoff?   
Hive: HKEY_LOCAL_MACHINE

Key: \System\CurrentControlSet\Services\Eventlog\System

Key: \System\CurrentControlSet\Services\Eventlog\ Application

Key: \System\CurrentControlSet\Services\Eventlog\Security

Name: RestrictGuestAccess

Type: REG_DWORD

Value: 0

Administrators: Full Control, System: Full Control, Creator

Owner: Full Control
   
Hive: HKEY_LOCAL_MACHINE

Key: \System\CurrentControlSet\Services\

LanManServer\Parameters

Name: AutoShareServer

Type: REG_DWORD

Value: 0
   
Change the permissions on HKEY_Local_Machine\Software\Microsoft\Windows\ CurrentVersion\ from Everyone: Special Access to Everyone: Read Control, Query Value, Enumerate Subkeys, Notify. Leave all other values at their current settings. If Authenticated Users group is present, reduce it to the same permissions.   
AppPaths, Uninstall, Run, RunOnce, RunOnceEx should have the permissions set to Everyone: Read and Authenticated Users: Read. Leave all other permissions at their current settings. Propagate these changes to all subkeys below these keys.   
The key HKEY_Local_Machine\Software\Microsoft\ WindowsNT\CurrentVersion\WinLogon should be restricted to Everyone: Read and Authenticated Users: Read. Leave any other permissions at the defaults.   
Hive: HKEY_LOCAL_MACHINE

Key: \Software\Microsoft\WindowsNT\CurrentVersion\

WinLogon

Name: AutoAdminLogon

Type: REG_DWORD

Value: 0

Name: DefaultPassword

Type: REG_SZ

Value: (NONE) If this value has something here, clear that value so this is empty.
   
Did you remove the Posix and OS2 subsystems?   
Remove the permissions of the Everyone and Authenticated Users groups from the Registry key HKEY_Local_Machine\ Software\Microsoft\WindowsNT\CurrentVersion\PerfLib. Do not set the permissions to NONE; simply remove those groups from being listed on the ACL.   
Hive: HKEY_LOCAL_MACHINE

Key: \Software\Microsoft\WindowsNT\

CurrentVersion\WinLogon

Name: CachedLogonsCount

Type: REG_DWORD

Value: 0
   
High-Security Systems   
Hive: HKEY_LOCAL_MACHINE

Key: \System\CurrentControlSet\Control\LSA

Name: AuditBaseObjects

Type: REG_DWORD

Value: 1

Hive: HKEY_LOCAL_MACHINE

Key: \System\CurrentControlSet\Control\LSA

Name: FullPrivilegeAuditing

Type: REG_DWORD

Value: 1
   
Did you set up TCP/IP Filtering for extra security?   
Did you create a false Administrator account and set up auditing to watch its activity?   
Did you secure the AllowedPaths keys?   
Windows 2000 Servers   
Did you set the System Security Policies as indicated in Chapter 4, Securing Your Servers?   
Did you reduce or eliminate unneeded services?   
Did you change the SysKey settings?   
Did you set up any IP Filtering?   
Did you tighten the TCP/IP settings?   
Did you restrict access to special executable files?   
Did you set up the Encrypting File System on directories that contain sensitive data?   



PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint