15 steps to hardening Windows Server 2003

Jonathan Hassell
Rating: -2.50- (out of 5)

Jonathan Hassell, author of Hardening Windows, recently conducted a checklist-style

webcast that outlined 15 steps you can take right now to harden Windows Server 2003
against various threats. Here's a look at Jonathan's 15 steps and some of the main points
he discussed.

Step 1: Be rigid on passwords

Main points: Enforce stronger authentication by encouraging the use of passphrases and
requiring a 15-character minimum.

Step 2: Use Windows XP software restriction policies through Group Policy

Main points: Use Group Policy to block all extensions related to scripts and disallow
especially nefarious programs (cmd. exe, Regedit.exe).

Step 3: Enable Internet Connection Firewall (ICF)

Main points: Almost every machine in your company can benefit from having a firewall

Only blocks incoming traffic uses stateful packet inspection and allows you to force open
particular ports.

Step 4: Kill LM hashes

Main points: To eliminate LM hashes, require a 15-character minimum for passwords
and enable the Security Option "Network Security: Do not store LAN manager hash
value on next password change."

Step 5: Strengthen TCP/IP stack

Main points: You should not connect Windows systems directly to the Internet. Instead
increase RAM for TCP connections and decrease timeout values for 3-way handshakes.

Step 6: Mandate SMB signing

Main points: SMB signing will help you prevent man-in-the-middle attacks.

Step 7: Harden network policies

Main points: You should enable settings like "Do not allow anon. enum of SAM" and
disable settings like "Allow anonymous SID/Name translation." This may be considered
security by obscurity, but it's an important component of hardened Windows systems.

Step 8: Use Software Update Services (SUS)

Main points: You should always use SUS or some other patch management system to
receive, distribute and schedule the most up-to-date patches.
Step 9: Rope off, quarantine, sanitize
Main points: This is a very important step. Using Network Access Quarantine Control,
you should limit or disallow resources to certain clients, put non-quarantined clients in a
holding bin to verify system attributes and finally provide resources to fix any problems
discovered before they're allowed to connect.

Step 10: Plan for the worst

Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and
leave yourself much more time to manually reconstruct the remaining 20%.

Step 11: Get the Group Policy Management Console

Main points: It's now easier than ever to use Group Policy to set security policies across
the board -- and you should take advantage of it.

Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)

Main points: This is a handy tool used to scan computers in a Windows Update-like
fashion. It is continually updated by Microsoft and it supports a number of products.

Step 13: Familiarize yourself with IPsec

Main points: IP is too public not to be encrypted. You should use IPsec to protect
transmissions between servers, client tunnels and any point-to-point IP transactions
where both ends know how to read IPsec.

Step 14: Use Internet Information Services (IIS) 6.0

Main points: Thanks to many new security improvements, IIS is finally ready for prime-
time hosting.

Step 15: Play with Windows Server 2003 Service Pack 1

Main points: With release expected in mid-2005, improvements will include a security
configuration wizard and remote client quarantine.