Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security (ITSG-20) achieved within a level; this allows you to create a matrix of policies for servers and environments. In a Workgroup environment, policy is applied in a prescribed order via policy files. This provides a consistent security profile for servers in a Workgroup environment. Since ‘policy files’ are simply text files, you can edit them with your favorite text editor. You may also copy and paste the policy text found at the end of this document. 2.1.3 Monitoring and Enforcement We have outlined a manual method that provides basic compliance verification. This manual approach limits scalability of the solution. In a large environment, we recommend an automated method. 2.2 Assumptions / Restrictions 2.2.1 Installation For the installation of the OS, please ensure the following: a. The CD-ROM is before the floppy drive in the boot device order; b. There is no previous version of Windows (if not the installation will pause); and c. The first available disk partition is for the operating system. The following assumptions are made: a. The Server to be installed is not a Cluster Member; b. The Domain has an Organizational Unit for Servers; c. The Domain has an Organizational Unit for Print Servers under Servers; d. The Domain has an Organizational Unit for Files servers under Servers; and e. The installation is limited to contents of the Microsoft Server 2003 distribution. 2.2.2 Policy Application of the policy results in the following: a. Local Guest account is renamed and disabled; b. Local Administrator account is renamed and disabled; c. All systems are Windows 2000 or later; d. System will shutdown if unable to log security events; e. No shares or named pipes can be accessed anonymously; f. No registry data can be accessed remotely; g. No accounts have the right to submit batch jobs; h. Administrator accounts cannot start services (Use an appropriate SERVICE account); i. Plug and Play is enabled when required as it is disabled by default; and j. SNMP is disabled. 2.2.3 Policy Monitoring and Enforcement No additional assumptions are required for Policy Monitoring and Enforcement. 6 March 2004 Overview
Windows Server 2003 Recommended Baseline Security (ITSG-20) 3 Automated Installation This section provides details for the Winnt.sif files. These files are used to install Windows Server 2003 in a Domain or Workgroup environment. In both cases, use local operational values. The raw files (ones without comments) are in Appendix A. NOTE: You must maintain your system with the latest service packs and hot fixes. This ensures the system’s security is current. 3.1 Initiating Automated Installation The automated installation uses a combination of CDROM and a floppy disk with a Winnt.sif file. During the boot process, it determines if the floppy has a Winnt.sif file. If present, it will use the settings in the file to configure the system. 3.2 Domain Server Installation Configuration file In the Active Directory tree, the Domain version requires a ‘Print Servers’ and ‘File Servers’ organizational unit (OU) be part of a ‘Public Servers’ OU (see below). All three of these OU’s are placeholders for policy that apply to the OU level in the directory information tree. Domain Name domain.local Organizational Unit User Systems Public Servers Organizational Unit File Servers Print Servers Servers File Server 1 File Server 2 Figure 1 – Example Active Directory Structure Automated Installation March 2004 7
- Page 1 and 2: IT Security Guidance Windows Server
- Page 3 and 4: Windows Server 2003 Recommended Bas
- Page 5 and 6: Windows Server 2003 Recommended Bas
- Page 7 and 8: Windows Server 2003 Recommended Bas
- Page 9 and 10: Windows Server 2003 Recommended Bas
- Page 11 and 12: Windows Server 2003 Recommended Bas
- Page 13 and 14: Windows Server 2003 Recommended Bas
- Page 15: Windows Server 2003 Recommended Bas
- Page 18 and 19: Windows Server 2003 Recommended Bas
- Page 20 and 21: Windows Server 2003 Recommended Bas
- Page 22 and 23: Windows Server 2003 Recommended Bas
- Page 24 and 25: Windows Server 2003 Recommended Bas
- Page 28 and 29: Unclassified ITSG for Windows Serve
- Page 30 and 31: Unclassified ITSG for Windows Serve
- Page 32 and 33: Unclassified ITSG for Windows Serve
- Page 34 and 35: Unclassified ITSG for Windows Serve
- Page 36 and 37: Unclassified ITSG for Windows Serve
- Page 38 and 39: Unclassified ITSG for Windows Serve
- Page 40 and 41: Unclassified ITSG for Windows Serve
- Page 42 and 43: Unclassified ITSG for Windows Serve
- Page 44 and 45: Unclassified ITSG for Windows Serve
- Page 46 and 47: Unclassified ITSG for Windows Serve
- Page 48 and 49: Unclassified ITSG for Windows Serve
- Page 50 and 51: Unclassified ITSG for Windows Serve
- Page 52 and 53: Unclassified ITSG for Windows Serve
- Page 54 and 55: Unclassified ITSG for Windows Serve
- Page 56 and 57: Unclassified ITSG for Windows Serve
- Page 58 and 59: Unclassified ITSG for Windows Serve
- Page 60 and 61: Unclassified ITSG for Windows Serve
- Page 62 and 63: Unclassified ITSG for Windows Serve
- Page 64 and 65: Unclassified ITSG for Windows Serve
- Page 66 and 67: Unclassified ITSG for Windows Serve
- Page 68 and 69: Unclassified ITSG for Windows Serve
- Page 70 and 71: Unclassified ITSG for Windows Serve
- Page 72 and 73: Unclassified ITSG for Windows Serve
- Page 74 and 75: Unclassified ITSG for Windows Serve
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
3 Automated Installation<br />
This section provides details for the Winnt.sif files. These files are used to install <strong>Windows</strong><br />
<strong>Server</strong> <strong>2003</strong> in a Domain or Workgroup environment. In both cases, use local operational values.<br />
The raw files (ones without comments) are in Appendix A.<br />
NOTE: You must maintain your system with the latest service packs and hot fixes. This ensures<br />
the system’s security is current.<br />
3.1 Initiating Automated Installation<br />
The automated installation uses a combination of CDROM and a floppy disk with a Winnt.sif<br />
file. During the boot process, it determines if the floppy has a Winnt.sif file. If present, it will use<br />
the settings in the file to configure the system.<br />
3.2 Domain <strong>Server</strong> Installation Configuration file<br />
In the Active Directory tree, the Domain version requires a ‘Print <strong>Server</strong>s’ and ‘File <strong>Server</strong>s’<br />
organizational unit (OU) be part of a ‘Public <strong>Server</strong>s’ OU (see below). All three of these OU’s<br />
are placeholders for policy that apply to the OU level in the directory information tree.<br />
Domain Name<br />
domain.local<br />
Organizational<br />
Unit<br />
User<br />
Systems<br />
Public<br />
<strong>Server</strong>s<br />
Organizational<br />
Unit<br />
File <strong>Server</strong>s<br />
Print <strong>Server</strong>s<br />
<strong>Server</strong>s<br />
File <strong>Server</strong> 1 File <strong>Server</strong> 2<br />
Figure 1 – Example Active Directory Structure<br />
Automated Installation March 2004 7