Midmarket companies are heavily invested in Windows Server 2003, and with the recession dragging the economy to the gutter, it's likely that most upgrade cycles are on hold. Therefore, leveraging your current Windows investments takes on greater importance, and a crucial first step is hardening services offered in Windows Server 2003.
Server hardening includes checking and disabling if necessary all the ports and services that could be vulnerable to a hacker. This two-part tip suggests a five-step plan for securing Windows Server 2003. Steps one, two and three are covered here.
STEP ONE: Choose NTFS for all volumes.
Building a hardened server means implementing secure procedures from the initial installation. New machines should be installed on an isolated network, protected from possible hostile traffic until the operating system is hardened.
During the first few steps of the setup, you will be asked to choose between FAT (file allocation table) or NTFS (new technology file system). Choose NTFS for all volumes.
FAT is the original file system designed by Microsoft for early operating systems. NTFS was introduced with Windows NT and provides a number of security features that FAT does not, including access control lists (ACLs) and file system journaling (which logs changes before committing them to the main file system).
Next, apply the latest Service Pack (SP2) and any available hotfixes. While many of the patches contained in the Service Pack are relatively old, they cover a number of known vulnerabilities that are used in common exploits for threats, such as denial-of-service attacks, remote code execution and cross-site scripting.
STEP TWO: Use Security Configuration Wizard to build security policies.
Now you're ready to get down to serious work. The easiest way to harden Windows Server 2003 is to utilize the Security Configuration Wizard (SCW), which can step you through the creation of a security policy based upon that particular server's role on the network. (see illustration below)
The SCW is different than the ConfigureYour Server Wizard. SCW does not install server components, but detects ports and services, and configures registry and audit settings.
The SCW isn't installed by default, so you must add it through the Control Panel's Add/Remove Programs applet. Choose the Add/Remove Windows Components button and select the Security Configuration Wizard. Once installed, the SCW will be accessible from the Administrative Tools.
The security policies created through SCW are XML files that configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). Through the configuration interface, new security policies can be created, and existing policies can be edited or applied to other servers on the network. In the event a new policy creates conflict or instability, it can be rolled back.
SCW covers all the bases of Server 2003 security. The wizard begins with the Security Configuration Database, which contains information about all the roles, client features, administration options, services and ports. There is also an extensive knowledge base for applications. This means that when an application is required by a selected server role, client features, such as automatic updates or administrative processes like backups, the Windows Firewall will open the requisite ports. When the application is closed, the ports will be automatically blocked.
Security settings for network and Registry protocols as well as Server Message Block (SMB) security signatures increase protection for critical server features. Outbound Authentication settings determine the level of authentication required in order to connect with external resources.
The final steps of the SCW cover the auditing policy. By default, Server 2003 only audits successful activities, but for a hardened system, both successful and failed activities should be audited and logged. Once the wizard is completed, the security policy can be stored as an XML file that can be immediately applied to the server, saved for later use or applied to other servers. (see illustration below)
STEP THREE: Disable or delete unnecessary accounts, ports and services.
During installation, three local user accounts are automatically created--Administrator, Guest and a HelpAssistant account, which is installed with a Remote Assistance session). The Administrator account holds the keys to the kingdom. It can assign user rights and access control. Although this master account cannot be deleted, it should be disabled or renamed to make it more difficult for hackers to gain access.
Instead, you should assign administrative rights to an individual user or a Group Object. This makes it much harder for a hacker to figure out which user has administrative rights. This is also critical to auditing processes. Imagine having an IT department in which anyone can log on to the server using a single administrative account and password; major security problem. It's best just not to use the Administrator account at all.
Similarly, the Guest and HelpAssistant accounts provide an easy target to those who know their way around Server 2003. This can be completed through the Control Panel under the Administrative Tools menu with the Computer Management option. Right-click the user account you want to change, and then click Properties. Be certain that these accounts are disabled on the network, as well as locally.
Open ports are high risk areas, There are 65,535 available ports and your server doesn't need all of them. A firewall, included with SP1, allows administrators to disable unnecessary TCP and UDP ports. Ports are divided into three distinct ranges: well-known ports (0-1023), registered ports (1024-49151) and dynamic/private ports (49152-65535). The known ports are the critical ones required for OS function. The registered ports are those that are able to be used by only that service or application and the rest are the Wild West.
By obtaining a list of ports and the services and applications associated with them, administrators can determine which ones are required for critical functions. For instance, to prevent any telnet or FTP traffic, the known ports associated with these applications can be block. Similarly, known software and malware have known associated ports, all that can be blocked to create a more secure server posture. Best practice is to close all ports that aren't in use.
Using the free Nmap tool is a great way to determine what ports are open, listening and blocked on a machine. SCW closes all ports by default and then opens them as the security policy is set.
The most effective way to harden a server is to not install any applications that are not relevant to the its operations and to turn off unneeded services. While having an email client or productivity tools on a server might be convenient for administrators, they should not be installed if they do not directly relate to the server's functionality.
More than a hundred services can be disabled in Windows Server 2003. For example, DHCP services are included in the base installation. However, if you are not going to utilize the system as a DHCP server, disabling tcpsvcs.exe will prevent the service from initializing and functioning.
Keep in mind, though, that not all services can be disabled. For example, although the Blaster worm utilized the Remote Procedure Call (RPC) service, it cannot be disabled since it provides other system processes to communicate internally and across the network with each other.
To shut down unneeded services, access the Services interface through the Control Panel's Administrative Tools menu. Double-click on the service to open the Properties dialog box and choose Disabled in the Startup Type box. (see illustration above)
Technical editor Sandra Kay Miller is a frequent contributor to Information Security magazine.
Send comments on this technical tip to firstname.lastname@example.org.
This was first published in March 2009