Jonathan Hassell, author of Hardening Windows, recently conducted a checklist-style webcast that outlined 15 steps you can take right now to harden Windows Server 2003 against various threats. Here's a look at Jonathan's 15 steps and some of the main points he discussed.
Step 1: Be rigid on passwords
Main points: Enforce stronger authentication by encouraging the use of passphrases and requiring a 15-character minimum.
Step 2: Use Windows XP software restriction policies through Group Policy
Main points: Use Group Policy to block all extensions related to scripts and disallow especially nefarious programs (cmd. exe, Regedit.exe). Register now to continue reading the rest of the steps to take.
Step 3: Enable Internet Connection Firewall (ICF)
Main points: Almost every machine in your company can benefit from having a firewall. ICF only blocks incoming traffic, uses stateful packet inspection and allows you to force open particular ports.
Step 4: Kill LM hashes
Main points: To eliminate LM hashes, require a 15-character minimum for passwords and enable the Security Option "Network Security: Do not store LAN manager hash value on next password change."
Step 5: Strengthen TCP/IP stack Main points: You should not connect Windows systems directly to the Internet. Instead increase RAM for TCP connections and decrease timeout values for 3-way handshakes.
Step 6: Mandate SMB signing
Main points: SMB signing will help you prevent man-in-the-middle attacks.
Step 7: Harden network policies
Main points: You should enable settings like "Do not allow anon. enum of SAM" and disable settings like "Allow anonymous SID/Name translation." This may be considered security by obscurity, but it's an important component of hardened Windows systems.
Step 8: Use Software Update Services (SUS)
Main points: You should always use SUS or some other patch management system to receive, distribute and schedule the most up-to-date patches.
Step 9: Rope off, quarantine, sanitize
Main points: This is a very important step. Using Network Access Quarantine Control, you should limit or disallow resources to certain clients, put non-quarantined clients in a holding bin to verify system attributes and finally provide resources to fix any problems discovered before they're allowed to connect.
Step 10: Plan for the worst
Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and leave yourself much more time to manually reconstruct the remaining 20%.
Step 11: Get the Group Policy Management Console
Main points: It's now easier than ever to use Group Policy to set security policies across the board -- and you should take advantage of it.
Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)
Main points: This is a handy tool used to scan computers in a Windows Update-like fashion. It is continually updated by Microsoft and it supports a number of products.
Step 13: Familiarize yourself with IPsec
Main points: IP is too public not to be encrypted. You should use IPsec to protect transmissions between servers, client tunnels and any point-to-point IP transactions where both ends know how to read IPsec.
Step 14: Use Internet Information Services (IIS) 6.0 Main points: Thanks to many new security improvements, IIS is finally ready for prime-time hosting.
Step 15: Play with Windows Server 2003 Service Pack 1
Main points: With release expected in mid-2005, improvements will include a security configuration wizard and remote client quarantine.
About the Author:
Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant residing in Raleigh, NC, with extensive experience in networking technologies and Internet connectivity. He currently runs his own Web-hosting business, Enable Hosting, based out of both Raleigh and Charlotte, NC. Jonathan's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security.
This tip orginally appeared on SearchWindowsSecurity.com.