In part one of this two-part technical tip, we examined the first three steps you should take to secure Windows Server 2003. In this part, we look at steps four and five, which cover access controls and maintenance steps you should take to maintain your machine's security posture.
STEP FOUR: Set up appropriate access control to the physical machine as well as the logical components.
From moment you hit the power button until the operating system starts and all services are active, there's still wiggle room for nefarious activity. Regardless of the operating system, a well-hardened machine starts with password-protected BIOS/firmware. Also at the BIOS level, the device boot order should be set up to prevent unauthorized booting from an alternative media.
This is done by accessing the BIOS setup by pressing the F2 key immediately after powering on the computer. Alt-P moves you through the settings pages for the BIOS. Under the Boot Order page, set the first option to Internal HDD. On the System Security page, there are options for a Primary, Administrative and Hard disk passwords.
Similarly, autorun capabilities for external media, including CD-ROM, DVD and USB drives, should be disabled. This can be accomplished through changing the Autorun value to 0 in the Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom (or the other devices names). Autorun could automatically launch applications for malicious intent on portable media. It's an easy way to install a Trojan, backdoor, keylogger, listener, etc. (see illustration below)
The next line of defense is how users log on to the system. Although alternative technologies for authentication, such as biometrics, tokens, smart cards, and single-use passwords, are available options for securing a Windows Server 2003, most administrators log on to their server, either locally or remotely, by using a combination of their user name and a password. All too often, that's the default password, and that's begging for trouble (and please, don't substitute the default choice of old with p@_55w0rd!).
This should go without saying, but if you are relying on passwords, use a strong policy: minimum of eight characters, including a combination of capital letters, numbers and non-alphanumeric characters, enforced changes at regular intervals and not using the same password within a certain time period.
A strong password policy, plus multifactor authentication is only the start. Thanks to the ACLs provided by the NTFS, each user can be assigned varying degrees of rights to multiple aspects of a server. Appropriate settings for access control on file and print share permissions should be configured based upon groups instead of "Everyone". This can be done on the server or through Active Directory.
Equally important is ensuring that only properly authenticated users have permission to access and edit the Registry. The bottom line is to limit user access only to those services and applications required.
STEP FIVE: You're never done
Protecting your critical servers is a continuing process. Don't assume the job is complete once you've made a server as tough a nut to crack as possible.
Follow these practices to make sure all your good work wasn't all for naught:
Institute a strong audit and logging policy. Protecting from unwanted or unintended actions on a server is the primary goal of hardening, but to ensure the actions taken are up to task means setting up comprehensive event logs and a strong audit policy.
With the advent of regulatory compliance, a strong audit policy should be part of a hardened Windows Server 2003. Successful and failed account login and management attempts along with privilege use and policy change should be initialized.
Windows Server 2003 creates the following types of logs: application, security, directory service, File Replication service, and DNS server. These can all be monitored through the Event Viewer, which also provides extensive information about the hardware, software, and system problems. Within each log entry, the Event Viewer displays five different types of events: error, warning, information, success audit, and failure audit.
Create a baseline backup. After you've taken the initiative and time to harden your Windows Server 2003, the final step is to create a Level 0/Full backup of the machine and the System State. Plan on storing this backup for the life of the server, and use it as a forensic baseline to refer to when a security incident occurs. Be certain to maintain baseline backups of your server after major software upgrades and operating system updates as well.
Keep an eye on accounts. Managing accounts for server security is an ongoing process. User accounts should be regularly reviewed and any non-active, duplicate, shared, general or test accounts should be deleted.
Keep patches up to date. Needless to say, hardening is a continuing process that doesn't end with SP2. To keep abreast, enable the Automatic Updates through the System menu in the Control Panel. In the Automatic Updates tab, choose Automatically download the updates, and set the server to install them on a schedule that won't interfere with server functions as most critical updates require the server to be restarted.
Technical editor Sandra Kay Miller is a frequent contributor to Information Security magazine.
Send comments on this technical tip to firstname.lastname@example.org.