Division of Information Technology
Better preparing you for your experiences on the internet

 

Windows Server 2003 Security Tips

The following is recommended for all Windows server deployments before placing them on the network:


  • Fully update the operating system components and all applications on the system and maintain this patch state. Be sure that automatic updates from Microsoft is enabled.
  • Disable any services that are not expressly used for the purpose of the server.
  • Install an anti-virus program and bring it up to date. Be sure to schedule automatic updates and scans during low usage time periods (overnight, really early in the morning).
  • Change the default name for the administrator account and ensure that the password for that account is complex and longer than 8 characters.
  • Disable the guest account.
  • Enable all applicable auditing measures for access attempts, system events, application events and security events. Bring the maximum log size to a level that will allow for auditing should the need arise.
  • Run the "Manage Your Server" tool located in Administrative Tools to assist in enabling services related to your server's role.
  • Inspect the Windows Firewall to verify that any exceptions are only allowed for the IP ranges the services you are running require (ex. The school's IP range if the service is to be accessed by only faculty/staff, the internet at large if you want anyone to be able to access it). Do this for all exceptions in the firewall.
  • Run the Microsoft Baseline Security Analyzer (MBSA) against your system to find any general deficiencies in your configuration and correct any that are found.


Once the system has been fully patched and a role has been decided for it, more configurations need to be made to tailor the security on the system specifically for the purpose the server has been given. Microsoft has provided guidelines and configuration templates specific to individual server roles in the Windows Server 2003 Security Guide, which is bundeled with extended documentation at the following site: Windows Server 2003 Security Compliance Management Toolkit (Apologies for the large download, the most up to date document is not available in a stand-alone download)


Simply skip to the section that applies most to the role your server is performing. When you have placed the system on the network, use a tool such as the Nessus Vulnerability Scannerto ensure that only the ports that are necessary for your server to perform its role are opened for communication. If you see ports open that are not directly related to the tasks your server performs, be sure to close them.


For any server that runs Web-based services through IIS, consider utilizing URLScan, a tool provided by Microsoft that analyzes client file requests (such as a client requesting an update from a WSUS server) and allows or blocks those requests based the file type they request, the folder they are requesting and several other factors.


Finally, here are some general rules of thumb:

 

  • Only allow access to your system for individuals who have a business need for the services it provides.
  • Administrative access should only be given to trusted individuals who are responsible and require access to perform their job. Do not give administrative access to too many people, as this will possibly compromise the security state of your server.
  • Do not allow generic accounts to be created on the server that are shared by multiple users. This can complicate the auditing process if a system has been compromised. Instead, create individual accounts for anyone who requires administrative access.