15 steps to hardening Windows Server 2003

Jonathan Hassell, author of "Hardening Windows," recently conducted a checklist-style webcast that outlined 15 steps you can take right now to harden Windows Server 2003 against various threats. If you haven't viewed the webcast, here's a look at Jonathan's 15 steps and some of the main points he discussed. For the complete information and detailed expert advice, you may view the webcast any time.

Step 1: Be rigid on passwords
Main points: Enforce stronger authentication by encouraging the use of passphrases and requiring a 15-character minimum.

Step 2: Use Windows XP software restriction policies through Group Policy
Main points: Use Group Policy to block all extensions related to scripts and disallow especially nefarious programs (cmd. exe, Regedit.exe).

Step 3: Enable Internet Connection Firewall (ICF)
Main points: Almost every machine in your company can benefit from having a firewall. ICF only blocks incoming traffic, uses stateful packet inspection and allows you to force open particular ports.

Step 4: Kill LM hashes
Main points: To eliminate LM hashes, require a 15-character minimum for passwords and enable the Security Option "Network Security: Do not store LAN manager hash value on next password change."

Step 5: Strengthen TCP/IP stack
Main points: You should not connect Windows systems directly to the Internet. Instead increase RAM for TCP connections and decrease timeout values for 3-way handshakes.

Step 6: Mandate SMB signing
Main points: SMB signing will help you prevent man-in-the-middle attacks.

Step 7: Harden network policies
Main points: You should enable settings like "Do not allow anon. enum of SAM" and disable settings like "Allow anonymous SID/Name translation." This may be considered security by obscurity, but it's an important compone...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Error messages for Windows XP Pro  (SearchEnterpriseDesktop.com) XP key changer  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nt of hardened Windows systems.

Step 8: Use Software Update Services (SUS)
Main points: You should always use SUS or some other patch management system to receive, distribute and schedule the most up-to-date patches.

Step 9: Rope off, quarantine, sanitize
Main points: This is a very important step. Using Network Access Quarantine Control, you should limit or disallow resources to certain clients, put non-quarantined clients in a holding bin to verify system attributes and finally provide resources to fix any problems discovered before they're allowed to connect.

Step 10: Plan for the worst
Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and leave yourself much more time to manually reconstruct the remaining 20%.

Step 11: Get the Group Policy Management Console
Main points: It's now easier than ever to use Group Policy to set security policies across the board -- and you should take advantage of it.

Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)
Main points: This is a handy tool used to scan computers in a Windows Update-like fashion. It is continually updated by Microsoft and it supports a number of products.

Step 13: Familiarize yourself with IPsec
Main points: IP is too public not to be encrypted. You should use IPsec to protect transmissions between servers, client tunnels and any point-to-point IP transactions where both ends know how to read IPsec.

Step 14: Use Internet Information Services (IIS) 6.0
Main points: Thanks to many new security improvements, IIS is finally ready for prime-time hosting.

Step 15: Play with Windows Server 2003 Service Pack 1
Main points: With release expected in mid-2005, improvements will include a security configuration wizard and remote client quarantine.

About the speaker: Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant residing in Raleigh, NC, with extensive experience in networking technologies and Internet connectivity. He currently runs his own Web-hosting business, Enable Hosting, based out of both Raleigh and Charlotte, NC. Jonathan's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. You can e-mail Jonathan at jhassell@gmail.com.