As part of its Trustworthy Computing Initiative, Microsoft has acknowledged that improper installations present a major security risk. As a result, Microsoft has created the Windows Server 2003 Security Guide to help administrators execute secure and hardened installations of the newest Windows NOS. Here is an overview of the security guide and advice on how these strategies can help you secure your implementation of either Windows Server 2003 or Windows 2000 servers and services.

Download contents
The downloadable version of the WS2K3 security guide is a little over 2 MB and offers over 70 files for testing a secured configuration, managing a migration, and supplementing an existing security policy. For administrators, the document offers advice and sample scripts, technical documentation on securing aspects of the product, and material for documenting your installation(s). Project/migration managers will benefit from the materials by using the checklists to ensure that proper security efforts have been applied during the migration.

The download is a self-extracting Windows executable that will create three directories:

  • Delivery Guide: Project management materials (implementation and migration)
  • Security Guide: Configuration checklists and scripts for administrators
  • Test Guide: More sample scripts and pass/fail testing sheets

The security guide also provides administrators with configuration scripts, security checklists, packet filter commands, and testing tools for a number of different standard server types, such as:

  • Domain controller
  • DNS server
  • DHCP server
  • WINS server
  • File server
  • Print server
  • Web server
  • IAS server
  • CA server
  • Bastion host

This list is a primer for implementing security policies for your server configuration. For your implementation, it may be necessary to establish additional categories of servers so you can create custom configurations based on the materials provided in the list above.

In my opinion, the most beneficial piece of the security guide is the 290-page PDF [Windows Server 2003 Security Guide.pdf], which presents a blanket operating system security approach while providing the appropriate level of technical detail. For example, Chapter 8 provides administrators with information on how to harden IIS. This section provides information about event logging, accounts, services, installation components, and server extensions configuration. The material can definitely help harden IIS from many directions, a valuable strategy because IIS is such a common target. You don’t have to be working with WS2K3 to benefit from this material.

While the Windows Server 2003 Security Guide provides administrators with good material for securing the core operating system, it does not provide tips for server applications like Exchange or SQL Server, both popular Microsoft server products. The security guide also gives no consideration to non-TCP/IP network protocols (a consideration for large and mixed environments). Another issue is the overlapping of the listed server roles on the same computer. Running some of the sample security scripts may secure one role, but adversely affect another role that the server plays. Thus, formulating customized scripts based on those in the security guide is probably the best strategy for securing mixed-role servers. This approach should also be used when working with other server-side applications such as Exchange and SQL.

Testing security guide materials
In my testing with some of the security guide materials, I ended up with a scenario where I needed to undo one of the changes I had made. In the \Tools and Templates\Security Guide\Sample Scripts folder of the download, there are IPSec policies I imported into my local configuration. While I could restore from a full backup, it was quite easy to undo one of the settings applied from the security guide. The contents of this particular folder are NETSH scripts that import policies into the IPSec policy of the server. Running these scripts requires you to rename the .txt file to a .cmd extension, and execute the script.

You can view the list of policies on your system by running netsh ipsec static show policy all from the command line. You can also enter into NETSH to view the policies. After importing a policy you could wish to remove it for a number of reasons, possibly because this has adversely affected the performance of an application not explicitly listed in the script or because of errors in generating a custom script. 

To remove a policy, type the following: netsh ipsec static delete policy {policy name}. You can derive the name of the policy you wish to remove by using the “show” operation covered in the paragraph above. If you have multiple policies, you can extract the policy name from the IPSec Policy Definition section of the script. There are some default policies that will be in place from a standard installation, as well as some that may be added by installations and configurations made after the installation of the operating system. So it would be a good idea to poke around the current policy set before adding your own.

Get started
I would recommend that every administrator of Windows 2000 and/or Windows Server 2003 download the WS2K3 Security Guide and review the materials and implement all applicable parts into their servers. The WS2K3 Security Guide, parts of which are applicable to Windows 2000 implementation, is a good supplement to a well-balanced Windows server security policy.