SERVER HARDENING CHECKLIST

Transcription

1 SERVER HARDENING CHECKLIST WINDOWS 2003 SERVER CHECKLIST This checklist contains server hardening procedures for Windows 2003 Server. The procedures listed in this document are a balance of industry best practices and the unique minimum requirements of UTSA s computing environment. Since Windows 2003 Server does not come configured securely out of the box, it is necessary to follow these steps to prevent attacks from exploiting known vulnerabilities. In the event that the minimum requirements cannot be met, exceptions must be documented on this document in the area provided (Minimum Requirements Exceptions). In all cases this document must be retained for compliance and future reference. The checklist is available for download (Windows 2003 Checklist - DOC). The checklist should be downloaded and kept for your records for audit and compliance requirements. Server Information Hostname IP Address MAC Address Asset Tag Administrator Phone # Date Server Classification CAT PREPARATION Before installing Server 2003, please contact the Information Security Office for permission to add a server onto the UTSA network. Once permission has been granted, the server will have a static IP Address assigned to your host. The request for a static IP Address can be made by contacting the OIT Support Serivces at Physical Security

2 Physical server security is as important as logical server security. The server console should be protected to maintain confidentiality, integrity and availability. Step Procedure Initials 1 Access control mechanisms should be established to minimize physical access to the server. CAT 1 The following access controls are required for servers containing Cat1 data or sensitive data as classified by the Data Classification Standard: Electronic access control mechanisms must be in place to audit the access to the room where the server resides. Access to the room should be minimized to authorized administrators of the system(s). The console should be locked when not in use. If the area where the server resides is an "open" unrestricted area, a rack system should be used to secure the server and a bios password needs to be configured. CAT 2/3 The following access controls are required for servers containing Cat 2/3 data. The console must be locked when not in use. The server should reside in an area that has minimal access INSTALLATION If a server is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. Consider using the Security Configuration Wizard to assist in hardening the host. Server Packs and Hot Fixes Step Procedure Initials

3 1 Install the latest service packs and hotfixes from Microsoft 2 Enable automatic update notifications of patch availability or contact OIT to receive updates via the university Microsoft SUS Server. 3 Record the patch level to establish a baseline. (use MS Baseline Analyzer) Audit and Account Policies Step Procedure Initials 1 Configure Audit Policy as described. 2 Set Password length and complexity as described below 3 Configure event log settings CONFIGURE AUDIT POLICY Configure a strong audit policy. Successful and failed logins, as well as privilege use, should be logged and monitored to detect any unauthorized activity. The UTSA Information Security Office recommends the following Auditing settings: Recommended Settings Audit account logon events Audit account management Audit directory service access No auditing

4 Audit logon events Audit object access No auditing Audit policy change Audit privilege use Audit process tracking No auditing Audit system events No auditing SET PASSWORD LENGTH AND COMPLEXITY Use the Domain Security Policy (or Local Security Policy) snap-in to strengthen the system policies for password acceptance, including: Recommended Settings Enforce password history 10 Maximum password age < 90 Minimum password age 2 Minimum password length 8 Password meets complexity requirements Enable Store passwords using reversible encryption Disabled CONFIGURE EVENT LOG

5 Recommended Settings Maximum Application log size Maximum Security log size Maximum System log size Prevent local guests group from accessing application log Enabled Prevent local guests group from accessing security log Enabled Prevent local guests group from accessing system log Enabled Retention method for application, security, and system log Overwrite as Needed SECURITY SETTINGS Step Procedure Initials 1 Disable local Guest Account 2 Disable anonymous SID/Name translation 3 Do not allow Anonymous enumeration of SAM accounts and shares 4 Ensure that the local Admin password meets password requirements listed below and as described in the Password Policy

6 5 Enable account lockout on the local Administrator account 6 Digitally Encrypt Secure Channel Data (When possible) 7 Place the University warning banner in the Message Text for Users Attempting to log on (see optional banner messages below) 8 Disable the sending of unencrypted password to connect to Third-Party SMB Servers 9 Do not allow Everyone permissions to apply to anonymous users 10 Do not allow any named pipes to be accessed anonymously 11 Ensure that no shares can be accessed anonymously 12 Choose "Classic" as the sharing and security model for local accounts 13 Allow log on through Terminal Services must be limited to a specific group(s) ie. Remote Desktop Group LOCAL ADMINISTRATOR PASSWORD LENGTH AND COMPLEXITY Password must contain at least 10 characters Set a minimum password age of < 90 Set a password history maintenance Password must contain both upper and lower case characters as well as letters Password must contain special characters

7 Passwords must not be based on personal information; must not be a word in any language, dialect, jargon, etc. LOCAL ADMINISTRATOR ACCOUNT PASSWORD POLICY Enable account lockout on the local administrator account Rename the local Administrator account to something other than Administrator UNIVERSITY WARNING BANNER ****** University of Texas at San Antonio ****** Warning! Warning! Warning! Warning! This system is for the use of authorized users only. Use of this computer without explicit authority, or in access of authority, is subject to tracking, monitoring and preservation of evidence. As a result the individual may be subject to criminal prosecution and/or disciplinary action. ADDITIONAL SECURITY PROTECTION Step Procedure Initials 1 Disable or uninstall unused services 2 Disable or delete unused users 3 Ensure all volumes are using the NTFS file system 4 Use the Internet Connection Firewall or other methods to limit connections to the server.

8 5 Configure registry permissions as needed 6 Synchronize and configure your server with the UTSA campus time servers to set system time/date 7 Install and enable anti-virus software 8 Install and enable anti-spyware software 9 Configure anti-virus and anti-spyware software to update daily 10 Configure the device boot order to prevent unauthorized booting from alternate media. 11 Install software to check the integrity of critical operating system files 12 Configure RDP connections and access controls as described 13 Systems providing storage will adhere to the requirements established under the Data Classification Standards.