Jonathan Hassell recently conducted a checklist-style webcast. He outlined 15 steps you can take right now to harden Windows Server 2003. Here's a look at some of the main points he discussed.
Jonathan Hassell recently conducted a checklist-style webcast. He outlined 15 steps you can take right now to harden Windows Server 2003. Here's a look at some of the main points he discussed.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
Jonathan Hassell recently conducted a checklist-style webcast. He outlined 15 steps you can take right now to harden Windows Server 2003. Here's a look at some of the main points he discussed.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
Jonathan Hassell, author of Hardening Windows, recently conducted a checklist-style
webcast that outlined 15 steps you can take right now to harden Windows Server 2003 against various threats. Here's a look at Jonathan's 15 steps and some of the main points he discussed.
Step 1: Be rigid on passwords
Main points: Enforce stronger authentication by encouraging the use of passphrases and requiring a 15-character minimum.
Step 2: Use Windows XP software restriction policies through Group Policy
Main points: Use Group Policy to block all extensions related to scripts and disallow especially nefarious programs (cmd. exe, Regedit.exe).
Step 3: Enable Internet Connection Firewall (ICF)
Main points: Almost every machine in your company can benefit from having a firewall
Only blocks incoming traffic uses stateful packet inspection and allows you to force open particular ports.
Step 4: Kill LM hashes
Main points: To eliminate LM hashes, require a 15-character minimum for passwords and enable the Security Option "Network Security: Do not store LAN manager hash value on next password change."
Step 5: Strengthen TCP/IP stack
Main points: You should not connect Windows systems directly to the Internet. Instead increase RAM for TCP connections and decrease timeout values for 3-way handshakes.
Step 6: Mandate SMB signing
Main points: SMB signing will help you prevent man-in-the-middle attacks.
Step 7: Harden network policies
Main points: You should enable settings like "Do not allow anon. enum of SAM" and disable settings like "Allow anonymous SID/Name translation." This may be considered security by obscurity, but it's an important component of hardened Windows systems.
Step 8: Use Software Update Services (SUS)
Main points: You should always use SUS or some other patch management system to receive, distribute and schedule the most up-to-date patches. Step 9: Rope off, quarantine, sanitize Main points: This is a very important step. Using Network Access Quarantine Control, you should limit or disallow resources to certain clients, put non-quarantined clients in a holding bin to verify system attributes and finally provide resources to fix any problems discovered before they're allowed to connect.
Step 10: Plan for the worst
Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and leave yourself much more time to manually reconstruct the remaining 20%.
Step 11: Get the Group Policy Management Console
Main points: It's now easier than ever to use Group Policy to set security policies across the board -- and you should take advantage of it.
Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)
Main points: This is a handy tool used to scan computers in a Windows Update-like fashion. It is continually updated by Microsoft and it supports a number of products.
Step 13: Familiarize yourself with IPsec
Main points: IP is too public not to be encrypted. You should use IPsec to protect transmissions between servers, client tunnels and any point-to-point IP transactions where both ends know how to read IPsec.
Step 14: Use Internet Information Services (IIS) 6.0
Main points: Thanks to many new security improvements, IIS is finally ready for prime- time hosting.
Step 15: Play with Windows Server 2003 Service Pack 1
Main points: With release expected in mid-2005, improvements will include a security configuration wizard and remote client quarantine.