Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
achieved within a level; this allows you to create a matrix of policies for servers and<br />
environments.<br />
In a Workgroup environment, policy is applied in a prescribed order via policy files. This<br />
provides a consistent security profile for servers in a Workgroup environment.<br />
Since ‘policy files’ are simply text files, you can edit them with your favorite text editor. You<br />
may also copy and paste the policy text found at the end of this document.<br />
2.1.3 Monitoring and Enforcement<br />
We have outlined a manual method that provides basic compliance verification. This manual<br />
approach limits scalability of the solution. In a large environment, we recommend an automated<br />
method.<br />
2.2 Assumptions / Restrictions<br />
2.2.1 Installation<br />
For the installation of the OS, please ensure the following:<br />
a. The CD-ROM is before the floppy drive in the boot device order;<br />
b. There is no previous version of <strong>Windows</strong> (if not the installation will pause); and<br />
c. The first available disk partition is for the operating system.<br />
The following assumptions are made:<br />
a. The <strong>Server</strong> to be installed is not a Cluster Member;<br />
b. The Domain has an Organizational Unit for <strong>Server</strong>s;<br />
c. The Domain has an Organizational Unit for Print <strong>Server</strong>s under <strong>Server</strong>s;<br />
d. The Domain has an Organizational Unit for Files servers under <strong>Server</strong>s; and<br />
e. The installation is limited to contents of the Microsoft <strong>Server</strong> <strong>2003</strong> distribution.<br />
2.2.2 Policy<br />
Application of the policy results in the following:<br />
a. Local Guest account is renamed and disabled;<br />
b. Local Administrator account is renamed and disabled;<br />
c. All systems are <strong>Windows</strong> 2000 or later;<br />
d. System will shutdown if unable to log security events;<br />
e. No shares or named pipes can be accessed anonymously;<br />
f. No registry data can be accessed remotely;<br />
g. No accounts have the right to submit batch jobs;<br />
h. Administrator accounts cannot start services (Use an appropriate SERVICE account);<br />
i. Plug and Play is enabled when required as it is disabled by default; and<br />
j. SNMP is disabled.<br />
2.2.3 Policy Monitoring and Enforcement<br />
No additional assumptions are required for Policy Monitoring and Enforcement.<br />
6 March 2004 Overview