Jonathan Hassell, author of "Hardening Windows," recently conducted a checklist-style webcast that outlined 15 steps you can take right now to harden Windows Server 2003 against various threats. If you haven't viewed the webcast, here's a look at Jonathan's 15 steps and some of the main points he discussed. For the complete information and detailed expert advice, you may view the webcast any time.
Step 1: Be rigid on passwords
Main points: Enforce stronger authentication by encouraging the use of passphrases and requiring a 15-character minimum.
Step 2: Use Windows XP software restriction policies through Group Policy
Main points: Use Group Policy to block all extensions related to scripts and disallow especially nefarious programs (cmd. exe, Regedit.exe).
Step 3: Enable Internet Connection Firewall (ICF)
Main points: Almost every machine in your company can benefit from having a firewall. ICF only blocks incoming traffic, uses stateful packet inspection and allows you to force open particular ports.
Step 4: Kill LM hashes
Main points: To eliminate LM hashes, require a 15-character minimum for passwords and enable the Security Option "Network Security: Do not store LAN manager hash value on next password change."
Step 5: Strengthen TCP/IP stack
Main points: You should not connect Windows systems directly to the Internet. Instead increase RAM for TCP connections and decrease timeout values for 3-way handshakes.
Step 6: Mandate SMB signing
Main points: SMB signing will help you prevent man-in-the-middle attacks.
Step 7: Harden network policies
Main points: You should enable settings like "Do not allow anon. enum of SAM" and disable settings like "Allow anonymous SID/Name translation." This may be considered security by obscurity, but it's an important component of hardened Windows systems.
Step 8: Use Software Update Services (SUS)
Main points: You should always use SUS or some other patch management system to receive, distribute and schedule the most up-to-date patches.
Step 9: Rope off, quarantine, sanitize
Main points: This is a very important step. Using Network Access Quarantine Control, you should limit or disallow resources to certain clients, put non-quarantined clients in a holding bin to verify system attributes and finally provide resources to fix any problems discovered before they're allowed to connect.
Step 10: Plan for the worst
Main points: To plan for disasters, use scripts to build up 80% of your infrastructure and leave yourself much more time to manually reconstruct the remaining 20%.
Step 11: Get the Group Policy Management Console
Main points: It's now easier than ever to use Group Policy to set security policies across the board -- and you should take advantage of it.
Step 12: Use the Microsoft Baseline Security Analyzer (MBSA)
Main points: This is a handy tool used to scan computers in a Windows Update-like fashion. It is continually updated by Microsoft and it supports a number of products.
Step 13: Familiarize yourself with IPsec
Main points: IP is too public not to be encrypted. You should use IPsec to protect transmissions between servers, client tunnels and any point-to-point IP transactions where both ends know how to read IPsec.
Step 14: Use Internet Information Services (IIS) 6.0
Main points: Thanks to many new security improvements, IIS is finally ready for prime-time hosting.
Step 15: Play with Windows Server 2003 Service Pack 1
Main points: With release expected in mid-2005, improvements will include a security configuration wizard and remote client quarantine.
For complete information and expert advice to help you enforce the 15 steps listed above, view the webcast today!
About the speaker: Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant residing in Raleigh, NC, with extensive experience in networking technologies and Internet connectivity. He currently runs his own Web-hosting business, Enable Hosting, based out of both Raleigh and Charlotte, NC. Jonathan's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. You can e-mail Jonathan at jhassell@gmail.com.
