15 steps to hardening Windows Server 2003

Step 1: Be rigid on passwords
Main points: Enforce stronger authentication by encouraging the use of passphrases and requiring a 15-character minimum.

Step 2: Use Windows XP software restriction policies through Group Policy
Main points: Use Group Policy to block all extensions related to scripts and disallow especially nefarious programs (cmd. exe, Regedit.exe).

Step 3: Enable Internet Connection Firewall (ICF)
Main points: Almost every machine in your company can benefit from having a firewall. ICF only blocks incoming traffic, uses stateful packet inspection and allows you to force open particular ports.

Step 4: Kill LM hashes
Main points: To eliminate LM hashes, require a 15-character minimum for passwords and enable the Security Option "Network Security: Do not store LAN manager hash value on next password change."

More Information Use this checklist on the job to fortify your Web server. Visit this resource center for news, tips and expert advice on how to harden a Web server

Step 5: Strengthen TCP/IP stack
Main points: You should not connect Windows systems directly to the Internet. Instead increase RAM for TCP connections and decrease timeout values for 3-way handshakes.

Step 6: Mandate SMB signing
Main points: SMB signing will help you prevent man-in-the-middle attacks.

Step 7: Harden network policies
Main points: You should enable settings like "Do not allow anon. enum of SAM" and disable settings like "Allow anonymous SID/Name translation." This may be considered security by obscurity, but it's an important component of hardened Windows systems.

Step 8: Use Software Update Services (SUS)
Main points: You should always use SUS or some other patch management system to receive, distribute and schedule the most up-to-date patches.

Step 9: Rope off, quarantine, sanitize
Main points: This is a very important step. Using Network Access Quarantine Control, you should limit or disallow resources to certain clients, put non-quarantined clients in a holding bin to verify system attributes and finally provide resources to fix any problems discovered before they're allowed to connect.

Step 10: Plan for the worst
Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and leave yourself much more time to manually reconstruct the remaining 20%.

Step 11: Get the Group Policy Management Console
Main points: It's now easier than ever to use Group Policy to set security policies across the board -- and you should take advantage of it.

Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)
Main points: This is a handy tool used to scan computers in a Windows Update-like fashion. It is continually updated by Microsoft and it supports a number of products.

Step 13: Familiarize yourself with IPsec
Main points: IP is too public not to be encrypted. You should use IPsec to protect transmissions between servers, client tunnels and any point-to-point IP transactions where both ends know how to read IPsec.

Step 14: Use Internet Information Services (IIS) 6.0
Main points: Thanks to many new security improvements, IIS is finally ready for prime-time hosting.

Step 15: Play with Windows Server 2003 Service Pack 1
Main points: With release expected in mid-2005, improvements will include a security configuration wizard and remote client quarantine.

About the Author:

Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant residing in Raleigh, NC, with extensive experience in networking technologies and Internet connectivity. He currently runs his own Web-hosting business, Enable Hosting, based out of both Raleigh and Charlotte, NC. Jonathan's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security.

This tip orginally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach How to lay the foundation for role entitlement management Financial database and server security Case study: How outsourcing services enable PCI DSS compliance Secure options for remote SQL Server administration Ten hacker tricks to exploit SQL Server systems Most malware at home on U.S. servers Microsoft warns of Excel zero-day flaw How to protect and harden a database server RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.