Windows Server 2003 Recommended Baseline Security
19.06.2014 Views
Share Embed Flag

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
cse.cst.gc.ca

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />

<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />

:IPSec Rule Definitions<br />

netsh ipsec static add rule name="CIFS/SMB <strong>Server</strong>" policy="Packet Filters - File"<br />

filterlist="CIFS/SMB <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />

netsh ipsec static add rule name="NetBIOS <strong>Server</strong> Rule" policy="Packet Filters - File"<br />

filterlist="NetBIOS <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />

netsh ipsec static add rule name="Terminal <strong>Server</strong> Rule" policy="Packet Filters - File"<br />

filterlist="Terminal <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />

netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - File"<br />

filterlist="Domain Member" kerberos=yes filteraction=SecPermit<br />

netsh ipsec static add rule name="Block Domain Access Rule" policy="Packet Filters -<br />

File" filterlist="Block Domain Access" kerberos=yes filteraction=Block<br />

REM netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - File"<br />

filterlist="Monitoring" kerberos=yes filteraction=SecPermit<br />

netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters -<br />

File" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block<br />

5.3 Domain Print <strong>Server</strong> Policy<br />

The domain print server allows authenticated users access to shared printers. These shared<br />

printers use access controls. Users outside a domain can authenticate with domain-based<br />

credentials. Once authenticated, access is granted based on domain policy.<br />

To fulfill print services, the <strong>Baseline</strong> configuration settings do not require further changes.<br />

5.3.1 Variance from Microsoft “Hardening Print <strong>Server</strong>s” Guidance<br />

The Microsoft role-based policy for print servers has two activities: 1) Start the print spooler and<br />

2) disable “Microsoft network server: Digitally sign communications (always)”. The CSE policy<br />

also starts the print spooler but differs in the handling of signatures. The Microsoft <strong>Security</strong><br />

Options section recommends disabling “Microsoft network server: Digitally sign<br />

communications (always)”. Their reason is the user community would not be able to view the<br />

status of their print jobs. We did not observe this limitation in our lab. As a result, the option to<br />

digitally sign communications is enabled.<br />

The remaining differences are a result of the CSE and Microsoft <strong>Baseline</strong> configuration variance.<br />

It is important to note that the role-based policies cannot be viewed in isolation from the <strong>Baseline</strong><br />

configuration.<br />

5.3.2 [Registry Values]<br />

machine\system\currentcontrolset\control\securepipeservers\winreg\allowedpaths\machine=7,Sof<br />

tware\Microsoft\<strong>Windows</strong><br />

NT\CurrentVersion\Print,System\CurrentControlSet\Control\Print\Printers<br />

Role Based <strong>Server</strong> Policies March 2004 121

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!