We recommend using a
new installation of the operating system to start your configuration work so
that Server Manager optimally configures just the roles and features that you
select. However, if you cannot perform a new installation, ensure to check the
following common security configurations before you start a role-specific
setup. This approach helps to minimize the possibility of settings from
previous configurations interfering with the server's security settings for its
new role.
The following table lists
the common server security configuration best practices that we recommend
following before configuring a server for a specific role. You can use this
table as a checklist to help ensure that your server is appropriately
configured and hardened against malicious attacks.
Table 3.3 Server Configuration Best Practice Assumptions
|
Component
|
Characteristics
|
|
Physical security
|
Store your servers in secure areas with restricted access to help
limit unauthorized access and minimize the possibility of theft.
|
|
System Updates
|
After installing
the operating system, use Windows Update to ensure that you have installed
the latest security and system updates on the servers.
|
|
Roles
|
Use Server Manager to remove all unnecessary role services or features
from the servers. This best practice helps minimize the attack surface of
each server.
|
|
Applications, services and devices
|
Server Manager
configures the necessary services and devices installed on each server for
the roles they perform. However, any applications installed on the servers
that no longer required can affect security. We recommend removing all
unnecessary applications and services from each server.
|
|
Protocols
|
Remove or disable any unused protocols. By default, Windows Server
2008 R2 SP1 installs the standard TCP/IP version 4 and 6 protocols for use
with the installed network cards.
|
|
Accounts
|
Remove any unused
user accounts.
Ensure the Guest
account is not enabled (it is disabled by default).
Rename the default
administrator account and establish a strong password for it. For additional
protection, disable the default administrator account.
Ensure strong
password policies are enforced.
Restrict remote
logons for standard user accounts.
Disable Null
sessions (anonymous logons).
Disable or remove
shared administrative accounts.
Restrict the local
administrators group (ideally to two members).
Require
administrators to log on interactively (or implement a secure remote
administration solution).
|
|
Files and directories
|
Use Windows Explorer to check the hard drives on the server for files
or folders that are no longer required. If possible, reformat disks that
contained sensitive legacy data.
Ensure that the Everyone group has no rights to folders or shares
containing sensitive data.
|
|
Check Shares
|
Remove unused
shares from the server.
Remove permissions
from the Everyone group from any server shares.
|
|
Review Firewall Rules
|
Review the status of Windows Firewall rules to ensure that only the
required network ports are available to the network. The Microsoft Attack
Surface Analyzer (ASA) is designed to help administrators determine changes
made to the operating system of a target computer before and after a software
program is installed. For more information about this tool, see the section
"Taking Advantage of the Attack Surface Analyzer (ASA)" in Chapter
2, "Implementing a Security Baseline."
Review the dynamic port range configuration. For more information
about dynamic ports that Windows Server 2008 R2 SP1 requires, see Microsoft
Knowledge Base article 929851: "The default dynamic port range for
TCP/IP."
|
