Windows Server 2003 Recommended Baseline Security

More documents

Recommendations

Info

Windows Server 2003 Recommended Baseline Security (ITSG-20) achieved within a level; this allows you to create a matrix of policies for servers and environments. In a Workgroup environment, policy is applied in a prescribed order via policy files. This provides a consistent security profile for servers in a Workgroup environment. Since ‘policy files’ are simply text files, you can edit them with your favorite text editor. You may also copy and paste the policy text found at the end of this document. 2.1.3 Monitoring and Enforcement We have outlined a manual method that provides basic compliance verification. This manual approach limits scalability of the solution. In a large environment, we recommend an automated method. 2.2 Assumptions / Restrictions 2.2.1 Installation For the installation of the OS, please ensure the following: a. The CD-ROM is before the floppy drive in the boot device order; b. There is no previous version of Windows (if not the installation will pause); and c. The first available disk partition is for the operating system. The following assumptions are made: a. The Server to be installed is not a Cluster Member; b. The Domain has an Organizational Unit for Servers; c. The Domain has an Organizational Unit for Print Servers under Servers; d. The Domain has an Organizational Unit for Files servers under Servers; and e. The installation is limited to contents of the Microsoft Server 2003 distribution. 2.2.2 Policy Application of the policy results in the following: a. Local Guest account is renamed and disabled; b. Local Administrator account is renamed and disabled; c. All systems are Windows 2000 or later; d. System will shutdown if unable to log security events; e. No shares or named pipes can be accessed anonymously; f. No registry data can be accessed remotely; g. No accounts have the right to submit batch jobs; h. Administrator accounts cannot start services (Use an appropriate SERVICE account); i. Plug and Play is enabled when required as it is disabled by default; and j. SNMP is disabled. 2.2.3 Policy Monitoring and Enforcement No additional assumptions are required for Policy Monitoring and Enforcement. 6 March 2004 Overview
Windows Server 2003 Recommended Baseline Security (ITSG-20) 3 Automated Installation This section provides details for the Winnt.sif files. These files are used to install Windows Server 2003 in a Domain or Workgroup environment. In both cases, use local operational values. The raw files (ones without comments) are in Appendix A. NOTE: You must maintain your system with the latest service packs and hot fixes. This ensures the system’s security is current. 3.1 Initiating Automated Installation The automated installation uses a combination of CDROM and a floppy disk with a Winnt.sif file. During the boot process, it determines if the floppy has a Winnt.sif file. If present, it will use the settings in the file to configure the system. 3.2 Domain Server Installation Configuration file In the Active Directory tree, the Domain version requires a ‘Print Servers’ and ‘File Servers’ organizational unit (OU) be part of a ‘Public Servers’ OU (see below). All three of these OU’s are placeholders for policy that apply to the OU level in the directory information tree. Domain Name domain.local Organizational Unit User Systems Public Servers Organizational Unit File Servers Print Servers Servers File Server 1 File Server 2 Figure 1 – Example Active Directory Structure Automated Installation March 2004 7
Page 1 and 2: IT Security Guidance Windows Server
Page 3 and 4: Windows Server 2003 Recommended Bas
Page 15: Windows Server 2003 Recommended Bas
Page 28 and 29: Unclassified ITSG for Windows Serve
Page 76 and 77:
Unclassified ITSG for Windows Serve
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
show all

Windows Server 2003 Recommended Baseline Security

Create successful ePaper yourself

Delete template?

Save as template?