Eight Steps to a More Secure Win2k3 Server
Here's a list of eight steps you can take to tighten down your Windows 2003 server: Print it out, tape it to your cube wall, implement a few, and maybe you won't have to hear your pager over Thanksgiving dinner.
Securing a Windows Server 2003 system is a complex task. Even though Microsoft provides the operating system in a locked down state, there are still many security weaknesses and loopholes that can be exploited. Basic security measures like file permissions and password policies do a great job of making your server secure, but it is often the more obscure loopholes that allow unauthorized access to the system. Here are just a few simple strategies and practices that you can use to increase the security of your Windows Server 2003 system, and subsequently your network.
1. Change Port Numbers
Many Windows Server 2003 applications (Remote Desktop and Internet Information Server (IIS) come immediately to mind) use TCP/IP ports to receive and send traffic. Changing the default port numbers used by these applications may be all that is needed to thwart some of the more rudimentary worms, and less sophisticated attackers. In some cases you can change the default port number in the management tool that comes with the application. With other applications, like Remote Desktop, youll need to edit the registry. More information on this process can be obtained found in a Microsoft knowledgebase article 306759.
What you change the port number of applications to is largely up to you, but make sure that you are not encroaching on a port used by another application. A complete list of port numbers used by Windows applications and services can help , but there may be other, non Windows (or Microsoft) applications on your server that use other port numbers.
2. Check Logon Auditing
By default, a Windows Server 2003 domain controller implements a basic set of logon auditing. However, if you dont check the Security Event Viewer logs where related events are recorded, youll have no way of knowing whether there have been logon related issues or not. Get into the habit of checking the Security Event Viewer log on a weekly, or even better daily basis to look for occurrences that might be of concern.
3. Isolate Domain Controllers
If you have an environment with more than one server, consider not running any applications (other than Active Directory of course) on your domain controllers. You can then implement a packet filtering firewall so that only Active Directory related traffic is allowed to and from that server. Microsoft provides an extensive list of ports used by services and applications.
4. Disable Unnecessary Services
Each and every service that runs on a Windows Server 2003 system increases the attack surface of the system. Of course many of the services are essential and should not be disabled. Others, though, can often be disabled without any negative effect on the operation of the server. Exactly which services you can disable will depend on what applications and functions the server is supporting. A server that is only providing file and print server services, for example, does not need the Routing or Remote Access Service, or the Remote Access Connection Manager service. Likewise, a server acting as a dedicated remote access gateway will most likely not need the Spooler service.
Be aware, though, that some services have dependencies, which means that they wont run unless another service is also running. If you do choose to disable unnecessary services, do it one service at a time, and keep an eye and ear out for any unexpected results.
5. Run MBSA Regularly
The Microsoft Baseline Security Advisor (MBSA) is a free tool from Microsoft that will scan your Windows Server 2003 system for a range of vulnerabilities including excessive permissions, and accounts without a password. But perhaps the most significant feature of MBSA is that it will scan the system to see what security updates have been installed. It compares this list to one from Microsofts Website that details the updates available for the operating system. Any updates that are not installed are flagged, and you can subsequently install them. In addition to your server, you can scan Windows 2000 and Windows XP systems across the network. You can download MBSA from Microsoft's site. Considering that MBSA is free, there really is no good reason not to use it on a regular basis.
6. Configure Account Lockout Policy
Considering the ease with which the Account Lockout Policy is configured, it is surprising at how many networks do not have it configured. The Account Lockout Policy defines what actions the system will take if an incorrect password for a user account is entered more than a specified number of times. It is accessed through the Account Policies Node of the Domain Security Policy, which you can access from the Administrative Tools menu. The appropriate lockout policy will depend on the environment, but there are some useful suggestions on suitable settings provided in an article from the Microsoft Knowledgebase.
7. Rename the Administrator Account
Again, a very basic measure, but you would be surprised at how many networks still have the Administrator user ID in place, relying instead on a complex password to secure the account. In reality, such measures are relatively ineffective. The administrator account is purposely not covered by the Account Lockout policy mentioned earlier. For that reason, a hacker who gains access to the system can try as many passwords on the Administrator account as they like without triggering a lockout. Renaming the account will make this, the most important of accounts, considerably less vulnerable as an attack point. Also, remember to change the password for the Administrator account (or whatever you have renamed it to!) on a regular basis, and always use a complex password.
8. Password Protect Backups
Whether you use the Backup utility that comes with Windows Server 2003, or a third party product, password protecting your backups is a simple way to provide an increased level of protection for your data. Backups represent a big risk because they often contain a complete set of data from your server. If the backup media were to be lost or stolen, there is little to prevent someone from examining the tape and looking at the data. The need for backup security is even more acute than normal if, as you should, you store backup tapes offsite for disaster recovery purposes.
So there you have it. While we have listed just a handful of security measures in this article, there are literally dozens more that you can use to further secure your server. Look for similar articles to this one in the near future, where well examine some more ways for you to tighten up security on your Windows Server 2003 system.