September 26, 2012

Common Security Configuration Assumptions Windows Server 2008 R2

Common Security Configuration Assumptions Windows Server 2008 R2

 

We recommend using a new installation of the operating system to start your configuration work so that Server Manager optimally configures just the roles and features that you select. However, if you cannot perform a new installation, ensure to check the following common security configurations before you start a role-specific setup. This approach helps to minimize the possibility of settings from previous configurations interfering with the server's security settings for its new role.

The following table lists the common server security configuration best practices that we recommend following before configuring a server for a specific role. You can use this table as a checklist to help ensure that your server is appropriately configured and hardened against malicious attacks.
Table 3.3 Server Configuration Best Practice Assumptions

Component
Characteristics
Physical security
Store your servers in secure areas with restricted access to help limit unauthorized access and minimize the possibility of theft.
System Updates
After installing the operating system, use Windows Update to ensure that you have installed the latest security and system updates on the servers.
Roles
Use Server Manager to remove all unnecessary role services or features from the servers. This best practice helps minimize the attack surface of each server.
Applications, services and devices
Server Manager configures the necessary services and devices installed on each server for the roles they perform. However, any applications installed on the servers that no longer required can affect security. We recommend removing all unnecessary applications and services from each server.
Protocols
Remove or disable any unused protocols. By default, Windows Server 2008 R2 SP1 installs the standard TCP/IP version 4 and 6 protocols for use with the installed network cards.
Accounts
Remove any unused user accounts.
Ensure the Guest account is not enabled (it is disabled by default).
Rename the default administrator account and establish a strong password for it. For additional protection, disable the default administrator account.
Ensure strong password policies are enforced.
Restrict remote logons for standard user accounts.
Disable Null sessions (anonymous logons).
Disable or remove shared administrative accounts.
Restrict the local administrators group (ideally to two members).
Require administrators to log on interactively (or implement a secure remote administration solution).
Files and directories
Use Windows Explorer to check the hard drives on the server for files or folders that are no longer required. If possible, reformat disks that contained sensitive legacy data.
Ensure that the Everyone group has no rights to folders or shares containing sensitive data.
Check Shares
Remove unused shares from the server.
Remove permissions from the Everyone group from any server shares.
Review Firewall Rules
Review the status of Windows Firewall rules to ensure that only the required network ports are available to the network. The Microsoft Attack Surface Analyzer (ASA) is designed to help administrators determine changes made to the operating system of a target computer before and after a software program is installed. For more information about this tool, see the section "Taking Advantage of the Attack Surface Analyzer (ASA)" in Chapter 2, "Implementing a Security Baseline."
Review the dynamic port range configuration. For more information about dynamic ports that Windows Server 2008 R2 SP1 requires, see Microsoft Knowledge Base article 929851: "The default dynamic port range for TCP/IP."

Looking for Hardening of Windows Server 2008 R2?