- 1 Windows Hardening guide
- 1.1 Security baseline for Windows server 2003 and Windows server 2008
- 1.2 Checklist
- 1.3 Installation shall be done on a clean system
- 1.4 Only one Operating System on the server
- 1.5 English version must be used
- 1.6 All partitions use NTFS
- 1.7 The system must be installed on it’s own volume
- 1.8 Attack surface must be reduced
- 1.9 No extra components
- 1.10 Latest Service Packs added
- 1.11 Lock down the filesystem
- 1.12 Lock down the registry
- 1.13 Other settings that must be checked
- 1.14 IIS if used must be locked down
Windows Hardening guide
Be advised that work on this guide has only just begun. Latest change: 2008-11-29
Security baseline for Windows server 2003 and Windows server 2008
This document describes the steps necessary to harden an already installed Windows 2003 Server installation. Therefore it will not go into detail about the installation process. For each step that you do not follow in this guide, you should document why you didn’t. This document should then be added to the server’s documentation. It has been successfully tested on a few Windows 2008 server installations as well, but not enough that we want to call this a 2003/2008 guide.
This is meant to help you create and maintain a minimum security baseline. Most installations of Windows can be secured much further, but this baseline is created to raise the common security of all Windows servers installed.
Go through this checklist and document every time when you choose not to adhere to the baseline.
Installation shall be done on a clean system
Reason: Security Baseline for Windows 2003 Server When you upgrade a system, you will get a lot of extra files, leftover registry entries and other remaining data that could affect stability and security.
Only one Operating System on the server
Reason: Avoid dual boot configurations. Otherwise, it may be trivial to boot into the other installation and bypass security settings on the first.
English version must be used
Reason: Localized Service Packs and software are released later than the native English one.
All partitions use NTFS
Reason: NTFS supports security properties and auditing. FAT16/32 does not.
The system must be installed on it’s own volume
Reason: In order to mitigate the risk of directory traversal attacks, the data must reside on another partition than the system.
Attack surface must be reduced
Reason: In order to mitigate the risk of compromise, you should only install the components explicitly requested by the customer.
Services that should not be used by default:
- Help and Support
- IPSEC Services
- Print Spooler
- Windows Firewall/Internet Connection Sharing (ICS)
- Wireless Configuration
(Some of those services can be needed. If you need to print from this server or print over this server, the print spooler must be running) Please note any other service that you chose to run / not to run.
No extra components
Reason: Unless needed, no extra components should be installed by Add/Remove programs. If you need to install e.g. IIS, then note it under “” hereunder. A complete list of components that should be installed on ALL baseline servers can be found in “ Baseline for Windows 2003 Serverd.doc”
Latest Service Packs added
Reason: Unless warranted, the server should run the latest service packs available. The primary reason is security, but there is also the issue that installations may not be supported by Microsoft unless they are at a recently current Service Pack level. The most current Service Pack levels can be found here: http://www.microsoft.com/windows/lifecycle/servicepacks.mspx
Lock down the filesystem
Reason: Note: %SystemRoot% is the directory that holds the currently running installation of Windows. Normally it is c:\windows.
Remove "Everyone" and "All Users" from the root of the System disk. Change the permissions on %SystemRoot%\repair and set that only Administrators and Systems have access (full access).
Create a new directory that only Administrators and SYSTEM have full access to called %SystemRoot%\dump. Enable auditing for Everyone on this folder and check all checkboxes under Failed and the “Change Permissions” checkbox under Successful.
Then goto the Control Panel - System - Advanced - Startup and Recovery settings. Change the path at “Dump File” to %SystemRoot%\dump\MEMORY.DMP. (It must end with a filename.) Then run drwtsn32.exe and change the path ”Crash Dump” to %SystemRoot%\dump\user.dmp.
Lock down the registry
Disable AutoRun for CD-ROM drives.
Find this key key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun
Change the value to : 0 (REG_DWORD)
Secure registry keys for the SNMP service.
Only allow these accounts to access the keys:
Administrators – Full Control
System – Full Control
Secure the registry keys below with this access:
Administrators and System - Full Control
Authenticated Users – Read
Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value”
checkbox under Successful.
HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
Select "winreg". Click Security and then click Permissions. Only those system, administrators and backup operators should have permissions. This is setup like this default on a Windows 2003 Server, but it’s worth checking this out anyway.
Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options” and set
”Network security: Do not store LAN Manager hash value on next password change” to Enabled.
Other settings that must be checked
Load ”Event viewer” into the MMC. Right click on each log and choose ”Properties”. Set the following
Application Log: 16384 kb / Overwrite events as needed
Security Log: 16384 kb / Overwrite events as needed
System Log: 16384 kb / Overwrite events as needed
Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options”, “Local Policy” and “Auditing Policy”. Set it up as follows:
Audit Account Logon events Success, Failure
Audit Account Management Success, Failure
Audit Logon Events Success, Failure
Audit Object Access Failure
Audit Policy Change Success, Failure
Audit Privilege Use Failure
Audit System Events Success, Failure
IIS if used must be locked down
Reason: IIS must only be installed when needed. By default it is not installed with Windows 2003 server, and it’s recommended that you carefully review what features you really need before installing the IIS role. All features that you do not need must be unchecked when you install the IIS role. The inetpub-directory must be moved from the boot drive (normally c:\) to d:\. The easy way to do this is to move the directory and the change the document path for the site in IIS Admin. Remember to run “IISReset” afterwards to activated the new settings.
All administrative scripts must be removed from under the inetpub directory. Stop the default site unless you really intend to use it. All sites must be configured only to listen on the primary network connection. This is easy to achieve by using IIS Admin and choosing properties for the site in question. Under the tab named “Web Site” change “IP Address” from “(All Unassigned)” to the IP for the production LAN. Always setup valid “host headers” for every site. The web server should not respond to requests that do not specify a valid DNS host header. This setting can be modified by running IIS Admin and choosing properties for the site in question. Under the tab named “Web Site” click “Advanced…” and configure the site correctly.
Review the authentication settings for each site. Remember that “Basic Authentication” is very easy to sniff for passwords. Avoid using it unless you do it on a secure (https) site. Integrated authentication is preferable for a site on the intranet, whereas Anonymous Authentication is allows anyone to see the pages. Digest authentication requires that you store the passwords with reversible encryption. It is best to avoid.
For extra hardening e.g. on a DMZ, consider installing URLScan and put the http method “TRACE” on the Deny list. If you know exactly what http methods that are to be used, you can configure URLSCAN only to allow those. But this can cause trouble with the function of the site if more functions are needed later on.
Never install the Frontpage extension on any site. They’re insecure by design and can open up serious vulnerabilities.