Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
:IPSec Rule Definitions<br />
netsh ipsec static add rule name="CIFS/SMB <strong>Server</strong>" policy="Packet Filters - File"<br />
filterlist="CIFS/SMB <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />
netsh ipsec static add rule name="NetBIOS <strong>Server</strong> Rule" policy="Packet Filters - File"<br />
filterlist="NetBIOS <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />
netsh ipsec static add rule name="Terminal <strong>Server</strong> Rule" policy="Packet Filters - File"<br />
filterlist="Terminal <strong>Server</strong>" kerberos=yes filteraction=SecPermit<br />
netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - File"<br />
filterlist="Domain Member" kerberos=yes filteraction=SecPermit<br />
netsh ipsec static add rule name="Block Domain Access Rule" policy="Packet Filters -<br />
File" filterlist="Block Domain Access" kerberos=yes filteraction=Block<br />
REM netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - File"<br />
filterlist="Monitoring" kerberos=yes filteraction=SecPermit<br />
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters -<br />
File" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block<br />
5.3 Domain Print <strong>Server</strong> Policy<br />
The domain print server allows authenticated users access to shared printers. These shared<br />
printers use access controls. Users outside a domain can authenticate with domain-based<br />
credentials. Once authenticated, access is granted based on domain policy.<br />
To fulfill print services, the <strong>Baseline</strong> configuration settings do not require further changes.<br />
5.3.1 Variance from Microsoft “Hardening Print <strong>Server</strong>s” Guidance<br />
The Microsoft role-based policy for print servers has two activities: 1) Start the print spooler and<br />
2) disable “Microsoft network server: Digitally sign communications (always)”. The CSE policy<br />
also starts the print spooler but differs in the handling of signatures. The Microsoft <strong>Security</strong><br />
Options section recommends disabling “Microsoft network server: Digitally sign<br />
communications (always)”. Their reason is the user community would not be able to view the<br />
status of their print jobs. We did not observe this limitation in our lab. As a result, the option to<br />
digitally sign communications is enabled.<br />
The remaining differences are a result of the CSE and Microsoft <strong>Baseline</strong> configuration variance.<br />
It is important to note that the role-based policies cannot be viewed in isolation from the <strong>Baseline</strong><br />
configuration.<br />
5.3.2 [Registry Values]<br />
machine\system\currentcontrolset\control\securepipeservers\winreg\allowedpaths\machine=7,Sof<br />
tware\Microsoft\<strong>Windows</strong><br />
NT\CurrentVersion\Print,System\CurrentControlSet\Control\Print\Printers<br />
Role Based <strong>Server</strong> Policies March 2004 121