About Microsoft Windows Server 2003

(1)

About Microsoft Windows Server 2003

(2)

Sorting Criteria Defined

(3)

Windows Server 2003 (Win2K3) Provisioning and Hardening Checklist

General Information

Name of Individual Performing the Windows Server 2003 Provisioning and Hardening

Last Name First Name Middle Name Title Date of Review

Additional Information

Department Division Office Immediate Supervisor

Server Information

(1). Hostname of Server Additional Information: (2). Type of Application(s) on server

(3). IP Address of Server (4). Function of Server (5). FIPS Security Category

(7). Data | Info. Classification Level

Vulnerability Severity Codes

Severity 1 Vulnerabilities which when exploited lead to immediate superuser access, unauthorized access to a machine, or allow an attacker to bypass security controls.

Severity 2 Vulnerabilities which provide an attacker information with a high probability of allowing unauthorized access to a machine, or to bypass security controls.

Severity 3 Vulnerabilities which grant an attacker information that may possibly lead to the compromise of a machine, or the bypassing of existing security controls

Severity 4

Vulnerabilities which generally degrade the overall security of a system when left unresolved.

Operating System

(1).

Task Severity Code Date

Completed Signature The version of Microsoft Windows installed should not be less than Service

Pack 2. 1

(4)

(2). Task

Severity Code _CompletedDate Signature Ensure the system is configured to disable automatic administrator login. 1

Additional Information:

(3).

Completed Signature All vendor recommended patches and hot fixes should be installed. 1

(4).

Completed Signature The built in Administrator and Guest accounts should be renamed to

something other an Administrator or Guest. 2

(5).

Completed Signature Unless a documented need exists, the Guest account should be disabled. 2

(6).

Completed Signature The system screen saver settings should be configured to lock the screen as

required by organizational or regulatory policy. 2

(5)

System Auditing

(1).

Task Severity Code _CompletedDate Signature The Application, System, and Security Event log files should have ACLs set as

follows: Administrators – Read and Execute. System – Full Control. 1

(2).

Task Severity Code _CompletedDate Signature Each partition/drive should be set to audit “Failures” for the Everyone group at

a minimum. 2

(3). Task

Severity Code Date

Completed Signature Configure the system to disallow guest access to the Event logs. 2

(4).

Completed Signature The HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYEM

registry hives should have auditing set to record “Failures” for the everyone group at a minimum

2

(5). Task

Severity Code _CompletedDate Signature

(6)

organizational or regulatory requirements.

System Access Controls

(1).

Task Severity Code _CompletedDate Signature The system should be configured to disallow the anonymous enumeration of

SAM accounts and network shares. (Note: For domains supporting Exchange 2003, this setting should be allowed for the DC Group Policy.)

1

(2).

Completed Signature Configure the system to lock an account after 3 or fewer bad login attempts. 2

(3).

Task Severity Code _CompletedDate Signature The “Reset account lockout counter” setting should be set to 30 minutes or

greater. 2

(4).

Task Severity Code _CompletedDate Signature The “Account location duration” setting should be set to 0, which requires an

administrator to unlock accounts which have been locked out. 2

(7)

(5). Task

Severity Code _CompletedDate Signature The system should be configured to cache 3 or fewer user logins. 3

User Account Privilege Controls

(1).

Completed Signature No user, to include administrators should be granted the right, “act as

part of the operating system”. 1

(2). Task

Severity Code _CompletedDate Signature Ensure the following User Rights are assigned: 2

Access this computer from network – Administrators, Authenticated Users,

Enterprise Domain Controllers

Add workstations to domain – Administrators

Adjust memory quotas for a process – Administrators, Local Service, Network

Service

Allow log on locally – Administrators, Backup Operators

Allow log on through Terminal Services – Administrators

Backup files and directories – Administrators, Backup Operators

Bypass traverse checking – Authenticated Users

Change the system time – Administrators, Local Service

Create a pagefile – Administrators

Create a token object – (None)

Create global objects – Administrators, Service

Create permanent shared objects – (None)

Deny logon as a batch job – Guests, Support_388945a0

Deny logon as a service – (None)

(8)

Enable computer and user accounts to be trusted for delegation –

Administrators

Force shutdown from a remote system – Administrators

Generate security audits – Local Service, Network Service

Impersonate a client after authentication – Administrators, Service

Increase scheduling priority – Administrators

Load and unload device drivers – Administrators

Lock pages in memory – (None)

Log on as a batch job – (None)

Log on as a service – Network Service

Manage auditing and security log – Administrators Group (Exchange Enterprise

Servers Group on Domain Controllers and Exchange Servers)

Modify firmware environment values – Administrators

Perform volume maintenance tasks – Administrators

Profile single process – Administrators

Profile system performance – Administrators

Remove computer from docking station – Administrators

Replace a process level token – Local Service, Network Service

Restore files and directories – Administrators, Backup Operators

Shut down the system – Administrators

Take ownership of files or other objects – Administrators

(3).

Task Severity Code _CompletedDate Signature Minimum, and Maximum Password Age, Password Length/Complexity, and

Password Uniqueness settings should comply with organizational or regulatory standards.

2

Networking Security

(1). Task

Severity Code _CompletedDate Signature

All unnecessary services and protocols should be disabled. 1

(9)

(2).

Task Severity Code _CompletedDate Signature If the ftp service is enabled, it should be configured to disallow access to

system-related files such as PAGEFILE.sys or NTLDR. 1

(3).

Completed Signature All forms of remote access to system services should be conducted using

encrypted formats such as SSH or Remote Desktop Protocol. 1

(4). Task

Severity Code _CompletedDate Signature Configure the system to disallow “Remote Assistance”. 1

(5).

Completed Signature The server's web content should be kept in a separate partition from the

server's system files. 2

(6). Task

Severity Code _CompletedDate Signature Configure the system to prevent the sending of unencrypted passwords to

third party SMB servers. 2

(10)

(7). Task

Severity Code _CompletedDate Signature Configure the system to disallow anonymous remote registry access. 2

(8).

Completed Signature Ensure the LanMan authentication level is set to at least: “Send NTLMv2

response only\refuse LM”. 2

(9). Task

Severity Code _CompletedDate Signature The following accounts: Guests, Anonymous Logon, Support_388945a0, should

be denied the ability to login to the machine remotely. 2

(10).

Completed Signature The system should be configured to perform SMB packet signing and

encryption wherever possible 2

(11).

Completed Signature Ensure the system is configured to require secure RPC connections. 2

(11)

(12).

Task Severity Code _CompletedDate Signature The system should be configured to disallow IP Source Routing, ICMP Redirects,

and Internet Router Discovery Protocol. Additionally, configure the system to allow connections to time out sooner if a SYN flood is detected.

3

(13).

Task Severity Code _CompletedDate Signature Configure the system to ignore NetBIOS name release requests from all

systems except WINS servers. 3

Local Security Options

(1).

Completed Signature The system should be configured to disable AutoRun for all drives and

removable media. 1

(2). Task

Severity Code _CompletedDate Signature Anonymous SID/Name translation should be disabled. 1

(3). Task

Severity Code _CompletedDate Signature Anonymous access to named pipes should be limited to the following:

(12)

Lsarpc, samr”.

(4). Task

Severity Code _CompletedDate Signature Remote accessible registry paths should be restricted to the following: 1

System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server Applications

Software\Microsoft\Windows NT\CurrentVersion

(5).

Task Severity Code _CompletedDate Signature No unapproved account should be able to “Debug programs” or have more

than read access to Winlogon registry keys. 1

(6).

Completed Signature The ACLs for all disabled services should be set as follows: Administrators – Full

Control, System – Full Control, Interactive – Read. 2

(7).

Completed Signature Configure the system to disallow the storing of passwords using reversible

encryption. 2

(13)